
So, let's get started and learn about countering brute force login attacks aimed at our WordPress site. You can apply these security measures in any order.
1. Change the Default Login URL
Every CMS—by default—comes preconfigured with several default URLs to complete different types of actions and processes. And, one such action is the login process.WordPress too uses a preconfigured default login URL
domain.com/wp-login.php
to facilitate access of dashboard for managing the website. And, that's what hackers use to launch brute force login attacks on a website. So, how to deal with this situation?What if we change the default login URL to an entirely different URL which cannot be guessed—easily?

Make sure you bookmark or memorize the new login URL else you won't be able to access the dashboard. This plugin simply intercepts the requests for the default login URL and redirects them to the page you've specified with the plugin settings.
2. Restrict Login Attempts With Lockout Periods
Now that we've changed the default login URL, it's time to move on to the next step to further strengthen our security against brute force login attacks.If—somehow—a hacker manages to find the new custom login URL, we can restrict the number of unsuccessful login attempts one can trigger at a given time. It's a kind of mitigation to curb a large influx of brute force login attempts.

In case, you're experiencing a larger volume of such attempts, you can adjust the settings as per your requirements. The settings shown above are the recommended ones.
This specific measure is a huge obstacle for the hackers even if you're using the default login URL. So, make sure you do not skip this method and enforce it on your site—without any fail.
3. Use (2FA) Two Factor Authentication
Though the first two steps mentioned above are sufficient in countering brute force login attacks, there's no harm adding more cushion to it.And, that can be done by adding one more authentication layer to the login process. With the advent of new technologies, we can add 2FA to the default WordPress login process.
Once configured, it requires verification of a soft token (kind of an OTP) to login to the dashboard.

Although the plugin recommends the use of Google Authenticator, I personally found Authy much better to work with. You can try out both to see which one fits your needs.
If you do not find this plugin—good enough—for your needs, you can try out other 2FA plugins as well.
4. Use Extremely Strong Passwords
Though it is quite obvious, still, a good percentage of WordPress users use extremely weak passwords. Sometimes, the site owner is completely unaware of this problem and sometimes he is completely ignorant. If it's the latter case, a hacked site's blame should be—entirely—on you.So, go ahead, and check if you're using a weak password or not, If yes, change it with a stronger one—right away! There are two simple ways to do it.

Or, you can use a password generator to instantly create a strong one with a click of a button.
In both cases, the generated password is quite difficult to remember, so make sure you've saved it in a secure vault on the web. The second option is—therefore—the recommended way to deal with it.
5. Use Cryptic Admin Username
It's the administrator's account that is the prime target of the hackers while launching a brute force login attack. If they already know the administrator's account username, half the battle has already been won.Now, all they need is to crack the password. What if they don't know the username of the administrator's account? Naturally, it'll make things difficult for them. And, that's what we need to ensure.
Pro Tip: Always use an editor or author account to publish content on the site. Never use an admin account for the same. This way, you'll never expose your admin username to the public.
Generally, the administrator's account username is 'admin' which is obviously quite easily guessable. There are two ways to change this username to something different.The first method is comparatively an easier one. And, for that, you'll need to install the Username Changer plugin. It's a lightweight plugin that does its job—flawlessly.

The second method is the manual one. First, create a second administrator account with a username that's difficult to guess. Now, delete the old administrator account with a weak or simple username.

From the drop-down list, select the new administrator account (see the image above) and click the Confirm Deletion button to complete the process.