In some cases, attackers may attempt to flood your wp-login.php file with repeated requests in order to guess your username and password. These brute-force attempts can not only compromise your credentials but also overload your server resources.
To prevent these brute-force attacks, you can install a security plugin such as iThemes Security.
Once the plugin is installed, you will see that it offers many security options. In our case, the relevant section is "Lockouts". Make sure that both "Local Brute Force" and "Network Brute Force" protection are enabled (they are enabled by default).
Click "Next", and you will be guided through additional configuration options. Continue clicking "Next" until the setup is complete, then click "Finish" to secure your site.
Afterward, go to the Security section in the left-hand WordPress menu. Click on "Settings", then "Lockouts", and open the settings (gear icon) for "Network Brute Force". It should appear as shown below:
Within this menu, go to the "Local Brute Force" section and enable the option "Automatically ban the user 'admin'". If WordPress was installed using our installer, the default username will not be admin. However, if you configured WordPress manually, we strongly recommend not using admin as your administrator username.
With these settings applied, your WordPress installation will be protected against brute-force attacks targeting the login page.