Found out it's pretty simple to restrict access to the admin
console/endpoint to a separate port or to an IP address range. This can be
achieved with built-in filters in WildFly.
Documentation incoming, see
https://github.com/keycloak/keycloak-documentation/pull/267