A plugin known as Stealth Login allows you to create custom URLs for logging in and out, administration and registering for your WordPress blog. Stealth Mode is also possible which will prevent users from accessing wp-login.php directly. You can then set your login url to something more obscure. However, this is not perfect but if someone does manage to “discover” your password, it can make it difficult for them to find the exact login URL. This also prevents bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
Sometimes the hacker may believe they know your password, or they may develop a script to guess your password. In that case what you should do is limit the login attempts. You can easily accomplish that by using a plugin called Limit Login Attempts that could lock end user out when they entered an unacceptable password in excess of the specified time.
I reckon this is the most effective protection if you own a static IP you can limit access to your WP-Admin Panel and only allow certain IP Addresses to access. All you have to do is create a .htaccess file in your web root with this code:
<FilesMatch wp-login.php> Order deny,allow deny from all allow from 18.104.22.168 #permitted IP address </FilesMatch>