Found out it's pretty simple to restrict access to the admin console/endpoint to a separate port or to an IP address range. This can be achieved with built-in filters in WildFly. Documentation incoming, see https://github.com/keycloak/keycloak-documentation/pull/267