In dealing WordPress Login (wp-login.php) brute force attack, previously, I recommend changing username & password as mentioned in WordPress Brute Force Attack – Change Username/Login ID post.
It does help to prevent the hacker to gain access, but the attack caused another problem as it consumed a large amount of server resources. Plugins such as Brute Force Login Protection may assist you to block the IPs after a number of wrong attempts. However, some of the hackers have large numbers of IPs, from hundreds to thousands of IPs. I encounter this problem & really taxing my server resources similar to DDOS attack.
While looking for better alternative to solve this problem, I found out that if you are using Cloudflare, the request headers contain the country code of the visitor’s origin. The header I’m talking about is the “HTTP_CF_IPCOUNTRY”.
What you to do is to allow only visitors from certain country to access “wp-login.php” file by using “HTTP_CF_IPCOUNTRY” header and “.htaccess” file.
The example below is only allow visitors from United States & Canada. Change the country code in the third line to make it applicable to your locations.
<FilesMatch "wp-login.php">
RewriteEngine on
RewriteCond %{HTTP:CF-IPCOUNTRY} !^(US|CA)$
RewriteRule ^ - [F,L]
</FilesMatch>