Since the default URLs used to log in to the Admin area of WordPress websites are known publicly (such as domain.tld/wp-admin), anyone can attempt to log in, posing a potential vulnerability for your website.
To prevent this, you can change the URL to something unique or protect the existing URL with the help of the following methods:
Method 1 - Changing the WP Admin URL
The easiest and fastest way to protect your admin URL is to change it. You can do it easily by using a free plugin like WPS Hide Login.
Once you set a new URL and save the changes, the login URL will change instantly, so make sure to save it somewhere safe
If you encounter issues logging in after enabling a plugin, check out this article: How to disable WordPress plugins without access to the admin page.
Method 2 - Password Protection
With this method, you will set an additional password required to access the /wp-admin directory on your website. This way, visitors trying to enter it will encounter an additional layer of security.
To enable it, follow this guide: How to Password-Protect Your Website
Method 3 - IP Block
You can block any unwanted IP addresses from accessing your website altogether, allowing for maximum protection.
There are two options: blocking certain IPs and allowing access to everyone else, or blocking access to everyone except a list of IPs you want to allow, such as your own IP address. This method requires that you use a static IP.
If this option is suitable for you, you can enable it by following this guide: How to Allow or Block a Specific IP Address for Your Website.