For the security of your website from force attacks, you can limit the number of times the users can try to log in to your site. Hackers try to crack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall, then this is automatically taken care of. However, if you don’t have the firewall setup, you may try the 3rd party plugin called Limit Login Attempts.
Limit the number of login attempts possible both through normal login as well as using auth cookies. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Limit Login Attempts block an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. Please visit this link to learn more:
As it is a 3rd party plugin, we cannot guarantee support and compatibility as we have not fully tested it, but you are free to try it. You can contact developer support at: https://wordpress.org/support/plugin/limit-login-attempts/
