Support

Basically, you don't need to do anything special anymore :) You just need to go through the Quick Setup wizard.

You can safely use the secret URL parameter now, even on a development site. We have added an option (enabled by default) which sets a secure cookie in your browser once you provide the correct secret URL parameter. If your session expires, or becomes corrupt, the cookie kicks in and saves you from the ignominy of getting yourself blocked for accessing the backend without the secret URL parameter. This is a safe setting to keep even on a production site; the cookie is destroyed when you click on User Menu, Logout in the backend of the site.

Definitely leave the Rescue Mode enabled because you will end up blocking yourself more often than not. That's part of the process of tailoring the protection to your site's needs and the reason this feature exists.

I agree that you should never whitelist IPs if you are not on a static IP, let alone the same machine, all the time. This is a feature I never use myself outside of development and testing.

Beyond that, it's best for you to treat your dev site like your live site. Use the same kind of protections you'd use on the live site. You want to see if something gets blocked that shouldn't so you can configure Admin Tools accordingly. It's far easier doing it as you build the site out rather than trying to do it as its own, separate step at the very end of the site development process. Doing it as you go, you'll definitely hit any snags your visitors might. Doing it at the end would require an impressive discipline at documenting every possible interaction with the site and going through it — it's difficult if you have a team with a dedicated security consultant and outright unrealistic for a solo site integrator.