what is the best practice to protect coldfusion administrator login page

You can protect the page with file system level privs.  Setup a new virtual server that maps to a seperate copy of /cfide (and remove /admin and /adminapi from the other cfide folder your internet sites use).  Limit what IP addresses can hit /cfide.

We run multiple instances, so we connect directly to each instance to manage it.  And those ports aren't accessable on the internet.  To top it off, we have an ISAPI ReWrite rule that sends a 404 if you try /cfide/administrator or adminapi.

If you're using CF8, you can set it up so it requires a specific username instead of a generic name.

Depends on what operating system you're using. In Win2k3 Server IIS you can limit what IP address can access a certain folder. I limit the cfide/admin folder to my local IP address and one away IP, that way I'm the only one able to get in.

If your CF Administrator is available over the web, especially at a location like www.mywebsite.com/cfide/administrator you are asking for it.

Just want to add that until you can limit the access to your administrator, put in a very long password that's next to impossible to guess.