1) Through “xmlrpc.php”
Solution -> Add a plugin (https://wordpress.org/plugins/disable-xml-rpc/) for disabling it. Don’t do this manually by custom code because we don’t want it to be disabled completely. It is used with some plugins such as “Jetpack”.
Source of solution -> https://www.hostinger.in/tutorials/xmlrpc-wordpress
2) Through “wp-login.php”
Solution -> Add a plugin (https://wordpress.org/plugins/protect-wp-admin/) for hiding WP Admin.
The combination of these 2 plugin will solve brute force login attempts issue.