One of the easiest ways to help prevent brute force attacks is by being able to limit login attempts. This is where variations of commonly used username and passwords are used to try to gain access to your site.
If you are not already using a security plugin on your site such as iThemes Security Pro, Wordfence, Sucuri, or Shield then one of the simplest plugins to limit login attempts is WPS Limit Login.
After you have installed and the WPS Limit Login plugin it will add a new admin menu;
Settings > WPS Limit Login
The plugin has a main configuration settings screen, whitelist, blacklist, and a log section. The base default settings for the plugin can be used or modified as needed if you want to how many allowed retries within a number of minutes, hours until retries are reset, the number of lockouts that will increase the set lockout time, and if you want to set the plugin to email the admin email on the site after a set number of lockouts.
The plugin will use the following options in the sites option database table.
wps_limit_lockout_notify
wps_limit_login_allowed_lockouts
wps_limit_login_allowed_retries
wps_limit_login_lockout_duration
wps_limit_login_long_duration
wps_limit_login_notify_email_after
Wps_limit_login_show_credit_link
The WPS Limit Login plugin can be used with the WPS Hide Login plugin which will provide the feature of being able to rename the default wp-login.php on the site to a different URL which makes it harder for brute force attackers to guess the correct login URL.
Useful links
https://ithemes.com/security/wordpress-brute-force-protection/
https://help.ithemes.com/hc/en-us/articles/202473234-iThemes-Security-Brute-Force-Protection
https://www.wordfence.com/help/firewall/brute-force/
https://www.wordfence.com/help/login-security/
https://getshieldsecurity.com/blog/limit-login-attempts-wordpress-shield-security-pro/
https://sucuri.net/website-firewall/stop-brute-force-attacks/
https://sucuri.net/guides/wordpress-security/