There are a number of ways to protect your WordPress site, one of the best quick wins is to ensure that your Admin page cannot be accessed by any IP address on the Internet. If you have a static IP address (or a number of static IP addresses), then the below will allow you to restrict access to your admin page(s) by IP address.
Firstly you need to create a .htaccess file within the “wp-admin” directory of your WordPress site, this should be readable permissions only for group and other, so perhaps a chmod of 644 would be suitable.
Typically your web hosting provider will give you a way to upload files via FTP, or via a web interface, so you can create the file on your local machine and upload.
Enter the following into the file:
order deny,allow # Block from any, allow from a specific list deny from all allow from 192.168.5.1 allow from 192.168.10.46
Save the file and should now find that you are unable to reach the “wp-admin” Admin page of your WordPress site.
If you want to remove this, simply delete the file. If for whatever reason you have been locked out, simply access the file via your hosting providers method, perhaps FTP or a web interface and remove or amend the file.