Attempt to access the login page happen all the time. Not a big deal….assuming that you have proper protections. Like:
- Not having a user named ‘admin’
- Not allowing enumeration of user names (so user names aren’t discoverable)
- Using strong passwords on all accounts, especially admin-level
- Using strong passwords on hosting, FTP, database, etc
- Disabling access to xmlrpc.prg (a common hack entry point)
- Being careful with user-uploaded files (if you let users create entries)
- General AV protection on your local computer (and good password policies)
I manage a lot of WP sites, and I don’t worry about invalid login attempts, because I follow the above rules. I also have some security settings I apply by default (via a plugin that I wrote) to add to the htaccess file.
If a site does get hacked, then I follow a carefully evolved process of cleaning up the site. Lots of googles/bings/ducks on cleaning up a hacked WP site. My process is here https://www.securitydawg.com/recovering-from-a-hacked-wordpress-site/ – there are many others.