Brute force attack on wordpress website comes from 2 ways.
1) Through “xmlrpc.php”
Solution -> Add a plugin (https://wordpress.org/plugins/disable-xml-rpc/) for disabling it. Don’t do this manually by custom code because we don’t want it to be disabled completely. It is used with some plugins such as “Jetpack”.
Source of solution -> https://www.hostinger.in/tutorials/xmlrpc-wordpress
2) Through “wp-login.php”
Solution -> Add a plugin (https://wordpress.org/plugins/protect-wp-admin/) for hiding WP Admin.
Usage of xmlrpc file -> https://www.hostinger.in/tutorials/xmlrpc-wordpress
The combination of these 2 plugin will solve brute force login attempts issue.