These are the only two settings you need to secure your wp-admin from hackers trying to log into your site.
First download iThemes Security Plugin, don’t worry its free!
Next go to the settings page. Click on the Advanced link top right. And configure Hide Backend.
Then setup what you want the “hidden” url to be. I would change the default and make it somewhat unique. Moving forward you would type domain.com/newhiddenurl to login to your admin.
Now we need to turn off the remote login feature of WordPress. (if you are using jetpack this will break jetpack, I would recommend not using jetpack)
Go back to the main settings page and find WordPress Tweaks hit configure.
Next we want to disable XML-RPC.
That’s it. Now your login page is completely hidden and no one can attempt to login with XML-RPC. (a non hidden way to attempt to login) You will more than likely need to clear you browser cache and cookies for the new WordPress backend url to work. The one you enter at the beginning. domain.com/newhiddenurl
Once cookies are cleared you will now see if you type in the standard login path of /login or /wp-admin or /wp-login.php none of those work now. You have officially secured the login page with 2 simple settings!