You need to protect your WordPress website from hackers.
One way the hackers get in is by password guessing. They are very good at it, and even if they don’t hack your WordPress web site – they steal away performance from real people trying to use your web site.
There are more and more ways to attack your WordPress login.
The only real way to protect logins is via 2 factor authentication. everything else is a half measure against a DDoS attacks (which are very common).
The idea of 2 factor authentication, is to have 2 sets of credentials, that are distinct from each another. It’s like the 2 keys used in a nuclear missile silo, they are opposite sides of the room, and have to be turned at the same time.
wpDone uses credentials on our load balancer, but you can use Auth settings in httpd.conf or .htaccess
The idea is that you set a simple challenge password, as well as your normal web page based wordpress username and password.
You can use a basic http password, or a plugin.
I really like this plugin : https://en-au.wordpress.org/plugins/google-authenticator/
So if they hacker does crack your site, and get your passwords, they still don’t have the more custom passwords from .htaccess (or in our case on the load balancer).
You just setup the security on /wp-admin and /wp-login. So if you type in those URLs, you have 2 sets of passwords to enter.