We've done exactly this several times - apply Deny for WTObect.
Need to be careful though - Deny at root level doesn't let admin's do anything either - if they need to work then need to apply at lower level(s).
If you just need to not allow any logins (including admin), then stop Apache.