You will need to update your .htaccess file to shutdown access to the admin area of your WordPress site from anywhere other than a specified IP address.
Here is an example .htaccess file which restricts access to a single IP address:
# Protect wp-login.php from Brute Force Login Attacks based on IP Address
# Add your website domain name
Allow from example.com
# Add your website/Server IP Address
Allow from 18.104.22.168
# Add your Public IP Address using 2 or 3 octets so that if/when
# your IP address changes it will still be in your subnet range. If you
# have a static IP address then use all 4 octets.
# Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 22.214.171.124
Allow from 65.100.50.