I've been experimenting with a plugin offering a further layer of security for the admin login, and so far it's worked well to prevent automated attempts to access the admin area with stolen logins. This kind of attack is an increasing problem: I'm notified by email every time there's a failed login attempt on a Zipfish site, and they come in their hundreds every day. The plugin works by adding a password to the URL for the admin login, so instead of going to http://www.mywebsite.com/administrator/index.php you'd go to something like http://www.mywebsite.com/administrator/?UnguessablePa88word . That small change means that the automated scripts bombarding sites with stolen logins won't be able to find the login form.
Is it worth adding such a plugin, and how much of a threat do these attackers really pose? Well, if you've used the same username and password on another site and that site's been hacked and its data stolen, you could be in trouble. Even if your login hasn't been stolen, it may be 'guessed' - not by a human being, but by software generating millions of combinations per second. But whether or not the login attempts are successful, they impact on server resources and could slow the site down, which in turn negatively affects search engine ranking. For the small inconvenience of bookmarking or remembering a new login address, this seems to me like a precaution well worth taking, and I'll be offering it to the Zipfish site owners whose sites are most badly affected.
Tip: if you've just realised that your password could have been stolen, here's a free tool for generating a new one: https://identitysafe.norton.com/password-generator/#