If you run a small blog, you might think that a secure password or 2-factor authentication is not that important.
However, this is a fallacy: even a blog little only a few dozen accesses a day is sufficiently in the focus of the "hackers" that there are several login attempts per day daily.
Using a fail2ban plugin (I use https://wp-fail2ban.com/), failed login attempts can be logged and the IP addresses from which the attacks originate can be blocked.
In my configuration, IP addresses are completely blocked for 24 hours after two attempts in a two-hour period. The lock is not only valid for the login area, but for all page views.
If you have no possibility to use fail2ban for WordPress, you should still follow a minimum of security instructions: the username should not necessarily be "admin", "root", "Administrator", the password should be at least 10 characters including special characters & numbers and the file permissions for WordPress should be set as restrictive as possible. For the last point there is a very good manual on binary-butterfly.de: File permissions: why actually?
What is your experience? Has your website ever been the victim of a hacker attack? Which security mechanisms do you use? I would be happy about comments!