I have been using the Lockdown WP plugin. It makes sure that if a user isn’t logged in and they attempt to access WP Admin or WP Login directly, they will be unable to and it will return a not found error page (404). Thus leading the hacker’s botnets to a dead-end.
However, after installation I was still experiencing illegal login attempts. I had not thought about the other redirects that WordPress automatically generates: www.example.com/login and www.example.com/admin, which were still happily redirecting all and sundry, including botnets, to my new private login URL.
Thankfully a line of code in your theme functions file will resolve this as follows:
remove_action( ‘template_redirect’, ‘wp_redirect_admin_locations’, 1000 );
I realise most people do not manage their own WordPress templates but this can of course be passed onto a WordPress developer if you experience similar issues.