One of the most commonly attacked pieces of a WordPress install is the login page. Many people will “hide” it to no avail. Others will add math tests or third party logins.
As part of my standard deployment of a site I use a custom Cloudflare rule to protect my login page. With this rule I can eliminate almost all bot traffic to the wp-login.php, and with some minor tweaks even limit the login by country while not impacting the usability of the site for the normal user and even for the WooCommerce user.