A lot of times CP/WP sites are hacked through the back door using xmlrpc.php and you need to block access to that file in .htaccess
# Deny access to xmlrpc.php
Redirect 403 /xmlrpc.php
Even then you need to use some sort of brute force login protection, to stop people hammering your admin login.
I have used WPS Hide Login on all my sites for years. It moves your login page to a URL of your choice, so they don’t even know where to go to log in.
Of course, that doesn’t help much if people need to create an account on your site, although there are membership plugins that will allow you to have a special front end login page.