You can use ACL’s for protecting the stats page like with any other page.
Therefore if you come up with an ACL (perhaps based on stick-tables) that rate-limits, or “locks out” a praticular IP for a certain amount of time, then you can use that with your status page. (I’ve never done that, so I can’t provide the actual ACL.)
However I don’t think the status page is so critical, especially if you don’t enable stats admin, because the worst it can happen is for an attacker to get a layout of your infrastructure and get a “statistic” of its usage.
I usually put the stats page at a randomly generated path (like an UUID), and use authentication for it. Now only those that know your config file can also know where the stats page is.