WordPress Site – Password Guessing Brute Force Attacks

That’s sadly normal. WordPress powers about 24% of known websites now, and the login URL is fairly standard, which means bots hunt about looking for login pages to try common usernames/passwords on, there aren’t even real people behind the controls.

There is now way to stop it entirely.

If you have a strong password, they’ll never get in. You can also slow them down with plugins like https://www.ads-software.com/plugins/jetpack/ (specifically its Protect Module) or https://www.ads-software.com/plugins/limit-login-attempts/ (which despite its age still works perfectly).

Alternatively, if this is single attacker coming from one IP address, you can lock it out following this guide: https://codex.www.ads-software.com/Combating_Comment_Spam/Denying_Access