1- Change log-in URL by WPS Hide Login

2- Limit login attempts by Limit Login Attempts

3- Disabling Xmlrpc.php by Disable XML-RPC 

• If you’d want to only turn certain elements of XML-RPC off, but still allow certain plugins and features to work, then use Stop XML-RPC Attack. This plugin will stop all XML-RPC attacks, but it’ll continue to allow plugins like Jetpack, and other automatic tools and plugins to retain access to the xmlrpc.php file.

or add the following code to .htaccess file :

Note: Change xxx.xxx.xxx.xxx to IP address you wish to allow access xmlrpc.php or remove this line completely.