Your wordpress based website may be vulnerable or you can’t update extensions,wp core regularly.Also you have too much brute force attacks to your wordpress admin.In every case,the solution for your wordpress security may be restriction  wp admin by ip address.

For Nginx

# vi /etc/nginx/nginx.conf

add this location block in the server context and replace ip addresses with your own one

location ~ ^/(wp-admin|wp-login\.php) {
                deny all;

For Apache Add these to your htaccess file

<Files wp-login.php>
order deny,allow
deny from all
Allow from
Allow from