WordPress sites are hit all the time. Some basic steps can prevent most of the attacks. Automated scripts will likely timeout after so many blocks and move on. Injections will not be able to find important data. You can even hide your admin dashboard. Here are some working examples.
Change database prefix
https://wordpress.org/plugins/brozzme-db-prefix-change/
Change the prefix to 5 or more random characters. Such as fjTn8_
Install Wordfence
https://wordpress.org/plugins/wordfence/
Brute Force Protection
Lock out after how many login failures – 2
Lock out after how many forgot password attempts – 2
Immediately lock out after bad usernames – Checked
Login Security
Add reCaptcha v3 to login and user registration pages
Change wp-admin login
https://wordpress.org/plugins/change-wp-admin-login/
Change wp-admin to anything with 4 random characters. Such as domain-Xxroq
