There are plugins for WordPress that do just that, such as .

1. Create complex passwords. A complex password is very easy to remember, but brute force requires you to work for the US NSA. An example of such a password is "Milk the GoatOn the Field987 times"
2. Create a query analyzer. If an authorization request from the same host is repeated, insert a response pause. Double the pause on each attempt.
Just such a scenario helped me. Certainly not on WordPress.

Naturally, it remains - to beat off requests using the web server, in general, it is expensive.
The only question is that on shared hosting there is no other possibility, for example, to cut the attackers with the OS firewall, or with a hardware firewall in front of the server. Accordingly, you will have to put up with this load.
However, if you have Nginx in front of Apache on the hosting, and you have access to its configuration, which happens on some shared hostings, then it will be better to move the filtering there. This will significantly reduce the load.

There is such a solution as Fail2ban
There, various regex filters are configured to evaluate logs.
And depending on the rules, firewall rules are applied.

Close firewall by ip

The simplest and most effective solution is to write some magic string in the UserAgent of your browser (for example, using the User-Agent Switcher for Chrome plugin) and restrict access by UserAgent (see, for example , point 6).
If this doesn't work for some reason, there are other options. Change admin url. Or screw one of those plugins for WP that bans by IP after N unsuccessful attempts to enter the admin area.