how to fix hacked wordpress will also tell you that there's no htaccess in the wp-admin/ directory. You may put a.htaccess file if you wish, and you can use it to control access to the wp-admin directory by IP address or address range. Details of how to do that are available on the net.
I protect an access to important Your Domain Name files on the site's server by placing an index.html file in the particular directory, that hides the files out of public view.
You also need to place the"Anyone Can Register" in Settings/General to off, and you ought to have some sort of spam plugin. Akismet is the old standby, the one I use, but there are many of them these days.
Black and pathological-looking phrases that were whitelists based on which field they look Go Here inside, in a page request. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
However, I recommend that you set up the Login LockDown plugin rather than any.htaccess controls. Login requests will be ceased by that from being permitted from a specific IP-ADDRESS for an hour or so after three unsuccessful login attempts. If you accomplish this, it is still possible to access your admin cell while from your workplace, and yet you have good protection against hackers.