When you say “wordpress” directory, do you actually mean the admin login?
Have you blocked xmlrpc?
What admin url is it changed to? WP resolves /admin, /wp-admin, /login, and /dashboard at least, by default. If it’s one of the defaults, change it. I personally don’t bother except if I get a DDoS attempt.
Edit: nevermind, looks like you answered that already.
Does your sitemap mention the login URL at all?
Is the redirected login URL easily guessed based on the site or random gibberish?
Is your site protected against CSRF attacks?
Do you have a firewall installed (plugin or external)?
When you say “wordpress” directory, do you actually mean the admin login?
Have you blocked xmlrpc?
What admin url is it changed to? WP resolves /admin, /wp-admin, /login, and /dashboard at least, by default. If it’s one of the defaults, change it. I personally don’t bother except if I get a DDoS attempt.
Edit: nevermind, looks like you answered that already.
Does your sitemap mention the login URL at all?
Is the redirected login URL easily guessed based on the site or random gibberish?
Is your site protected against CSRF attacks?
Do you have a firewall installed (plugin or external)?