Protecting only wp-admin won’t help a lot, at least it won’t protect your from brute-force attacks.
A brute force attack is a trial-and-error method used to obtain
information such as a user password or personal identification number
(PIN). In a brute force attack, automated software is used to generate
a large number of consecutive guesses as to the value of the desired
data.
So in other words – attacker tries to guess the password by trying to log in with different credentials.
Why protecting wp-admin won’t protect you? Because brute-force attacks are not directed at wp-admin. There are two methods used to perform brute-force attacks on WordPress:
- Send credentials to wp-login.php and check the response.
- Send some authenticated request to xmlrpc.php and check if authentication error occured.
So if you want to protect yourself from brute-force attacks, you should protect these 2 files. This way attacker won’t be able to guess the credentials.
Of course protecting wp-admin is also a good idea – this way even if someone breaks the password, he still won’t get to wp-admin area.
Although you have to remember that second layer (Basic Auth?) is just one of methods you can use to protect yourself from brute-force. You can also implement login throttling or temporary lockout.