Install one of the security plugins, wordfence is popular, as is “All in One WP security”, they will log and lockout failed login attempts.
If you have a fixed IP address, you could setup in .htaccess that only that ip can access /wp-admin
I’m on dynamic IP allocation, but I found the range of addresses assigned always falls into 3 relatively small CIDR ranges, 80% of the time just one range. Putting those ranges into .htaccess blocks all hackers but those using my ISP. I figure if I ever get hacked from one of those ranges, as a paying customer I have a good chance getting them kicked out. Sure, they’ll just go elsewhere, but they’ll be out of my hair.
It is a bit of a hassle when I’m staying somewhere else to add in an additional range, but once you’ve done it a few times it takes less than 5 minutes.
This is only a viable strategy for those with a very limited number of users requiring admin access.
Thanks to both of you I am implementing both methods lets hope it will get resolved.
Please realise in favour of using bcworkz strategy, even if you find yourself on a stranger IP address, one that you have not previously used for WP login, that you can still access your site using FTP, and configure the new address. So you will not find yourself in a lockout circle.
Of course follow up on the other security measures, one I saw recently was being hacked by a site which shared the same hosting, reuse of passwords let the hacker “reach over the fence” which usually isolates shared hosting sites from each other. The point is that security is not an addon, it has to be built in, every point of access must be defended.