Any experienced webmaster who runs a popular WordPress website knows about brute force and other types of hack attacks. You wouldn’t want to make it easier for hackers to breach your defenses by choosing easy-to-guess usernames and passwords. In fact, there is no reason you should even allow people to attack your login page. Here are 3 ways you can reduce attacks on your WordPress login page:
Use a plugin like Login Security Solution: plugins like this allow you to stop hackers in their tracks. They limit login attempts and alert you when someone is trying to hack you. These plugins can also automatically stop hack attempts for hours, days, and longer.
Limit login page access by IP: whether you use Apache or Nginx on your server, there are directives you can add to your .htaccess or config files to keep strangers from accessing your important files. We have already covered a few ways you can do that in the past.
Disable or limit access to XML-RPC: when I limited access to my admin and login pages to my IP only, I assumed that my problem was solved. It only took me a few days to realize that people were still managing to attempt wrong username/password sets. We had to disable XML-RPC for more security.
Since trying these methods, our login pages have not been attacked a whole lot. People are still trying to hack us, but they are using more sophisticated approaches.