There is no permanent solution for brute-force attack. Most of the cases WP attack is running on 3 specific files wp-login.php xmlrpc.php and wp-cron.php. All of those files are related with WordPress. There is nothing we can fix from server end without service interruption. But here I give some suggestion which will help to solve the issue.
- Update your wordpress to latest version.
- Update your themes and plugins to latest version.
- Setup WordFence if the attack continue going on (https://wordpress.org/plugins/wordfence/)
- If you see the attack is continuously going on and the server load increased. Go to website home directory, open .htaccess and put the following code.
<files wp-login.php>
order deny,allow
deny from all
</files>
<files xmlrpc.php>
order deny,allow
deny from all
</files>
<files wp-config.php>
order deny,allow
deny from all
</files>
