Brute force login attacks are one of the most common attacks that we see and are normal.
We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence.
Here is a blog post explaining why hackers are interested in your site and then steps you can take to keep your admin account protected.
https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/
To keep yourself protected please carry out the following if you haven’t already done so:
1) Make sure all admin accounts and those with high-level access. e.g. with publisher access, use a very strong password – WordPress can auto-generate a very strong password for you on an account profile page.
We recommend that all users with high-level access use a password manager such as 1password.com to store their complex passwords that are exceedingly difficult to remember.
2) Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page:
https://www.wordfence.com/help/firewall/brute-force/
These rules also protect the WordPress XML-RPC interface:
https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/
3) Enable two-factor authentication for administrators and those with high-level access e.g. with publisher access. This feature is on the Login Security page. Instructions are in the link below:
https://www.wordfence.com/help/tools/two-factor-authentication/
4) If there are a large amount of login attempts for the same username coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Login Security >> Settings page.
https://www.wordfence.com/help/login-security/#captcha-options
