Understand that I can block off client panel by using ACL:
I tried it, it worked fine, and the front page will show "access denied", but the problem is, if I apply ACL, my attachment had problem to show:
What's the best way to totally block off client panel?
Via webserver rules. You can block all requests going to non-/scp urls.
Well, I tried the htaccess method, and I have had another issue
Seems like I'd give up blocking client portal.