Your wordpress based website may be vulnerable or you can’t update extensions,wp core regularly.Also you have too much brute force attacks to your wordpress admin.In every case,the solution for your wordpress security may be restriction wp admin by ip address.
For Nginx
# vi /etc/nginx/nginx.conf
add this location block in the server context and replace ip addresses with your own one
location ~ ^/(wp-admin|wp-login\.php) {
allow 1.2.3.4;
deny all;
}
For Apache Add these to your htaccess file
<Files wp-login.php>
order deny,allow
deny from all
Allow from 1.2.3.4
Allow from 5.6.7.8
</Files>