By default, WordPress allows unlimited failed login attempts. Use a security plugin like Wordfence to lock out users (or bots) after 3 or 5 failed tries. Enable Two-Factor Authentication (2FA)
You receive this error immediately after clicking login, even though cookies work on other sites. Causes: A corrupted .htaccess file, incorrect home and siteurl settings, or a security plugin. Solutions: wp login
"Security through obscurity" can stop automated bots. By changing the URL from /wp-login.php to something obscure like /my-secret-door , bots cannot find the login form easily. By default, WordPress allows unlimited failed login attempts