If you have bots brute-forcing your WordPress login page, you can use Cloudflare to stop these bots from reaching the page at all.
A plugin can be used to help block bots, but this plugin will be using lots of server resources to block these attacks. Even if the attacks are successfully blocked, this can take your site offline by bogging down your server. It will be so busy blocking attacks that it can't serve legitimate visitors the pages they want to see.
Using Cloudflare moves the blocking to Cloudflare's CDN servers. The brute force attacks will be stopped at Cloudflare and never reach your site. This leaves your site free to serve pages to legitimate visitors. Cloudflare allows you set up to five separate sets of firewall rules. Each set can have several filters chained together to create complex filtering and blocking rules. Here we will concentrate on setting up one simple rule.