No, the requests will still happen, even if it results in a 404. If you keep logging, you’ll also notice attempts to log in to Drupal, Joomla, and other major CMS, including server exploits for IIS Apache and Nginx
This is because they’re automated opportunistic requests, they’re not actually looking at your site, they’re only looking for successful logins. Most sites get these, sometimes in large spikes, sometimes as consistent background noise.
If you’re worried about your security though, I’d suggest that you:
- Add a brute force login mechanism, such as the one included in Jetpack, or the popular limit logins plugin
- Force a minimum password strength, there are several plugins that can do this for you, though I cant recommend one
- Use 2 factor authentication
Other than that, there isn’t anything you can do to eliminate the possibility short of a major breakthrough in computer security research. Moving your login page will either break things, or it’ll only work for those bots that are particularly stupid.
Anyone can visit the login page of a site via rewrite rules by going to /login
if pretty permalinks are turned on, they can use XMLRPC, and they can visit the admin area at wp-admin
and be redirected to the login page. If you move the admin area, aside from breaking things, the user can still visit /admin
and be redirected anyway. Moving things sounds like the answer, but it really isn’t, it’ll just give you a sense of false security, which is far more dangerous.