In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.
For Cloudflare users, you may block the login page for other visitors from other country except yours as mention in Defeat wp-login.php Brute Force Attack Using Cloudflare & .htaccess. However, this method has there are some limitation where you must use Cloudflare services & not many attack originated from your country.
Another method is by whitelisting your IP. If your IP is dynamic, you may want to find out your IP ranges.
After that add the code below in your “.htaccess” file and replace the “allow from XXX.XXX.XXX.XXX/XX with your IP ranges.
<FilesMatch "wp-login.php"> order deny,allow deny from all allow from XXX.XXX.XXX.XXX/XX allow from YYY.YYY.YYY.YYY/YY allow from ZZZ.ZZZ.ZZZ.ZZZ/ZZ </FilesMatch>