WordPress has several ways to get a list of accounts, both admins and otherwise. In a separate way, WooCommerce also helps with this if it is installed and activated (there are two links out of the "box" through which it is possible to sort through accounts). If you provided a link to the site, then you could look more specifically, and so - only general recommendations like IPTables + fail2ban, remove all sorts of "Limit Login Attempts" and analogues, as well as security plugins, from which there can be more harm, than good.
Some details:
- look at the source code of the pages and look in it

<script type="application/ld+json" class="rank-math-schema">

- inside, among other data, there may be the login of the author of the post/page;
- /wp-json/wp/v2/usersor /wp-json/wp/v2/users/X, where X - user ID;
- /wp-json/wp/v2/posts- site records, among the data will be the ID of the author of the record;
- /wp-json/wp/v2/pages- the same as with records, only in relation to pages;
- /wp-json/wp/v2/media- the same, only for files in the library;
- /wp-json/wp/v2/comments- relevant, if you have not disabled the ability to leave comments on the site;
- /wp-json/wp/v2/product- relevant for a working WooCommerce - all products are displayed (by the product page ID, you can see data on media files, where the author's ID will be);
- /feed/- [if the feed is not disabled] among other things, the author will also be indicated there <dc:creator>автор</dc:creator>.
Brute force (the process is automated, of course):
- through the form /wp-login.php- if the login is incorrect, an error will be returned according to. message;
- /author/xxxx/;
- /my-account/xxxx/and /account/xxxx/[for WooCommerce].

These are not hackers. These are bots. For many decades they have been using WordPress and other cms on the machine.
Strong passwords and closing ip access after 3 attempts will pacify bots.
ps do not get carried away with these Sucuri Security best security - all this loads the server.
All you need to know is "yes, bots will always hammer." Protection through server iptables and no problem. And to hang WordPress strengthening security - well, it's like propping up a door with a chair - it works, but not correctly. And embed the right lock - that's the solution

in .htaccess you write:

# защита wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Защищаем собственно .htaccess файл
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>


<Files wp-login.php>
order deny,allow
deny from all
</Files>

<Files wp-admin.php>
order deny,allow
deny from all
</Files>

<Files wp-signup.php>
order deny,allow
deny from all
</Files>

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

and change the path to the login, this plugin is good - wps hide login
security plugins / combines - they only slow down the site, if you want more protection, launch the site through cloudflire and create a rule there - to block - https://i.imgur.com/ OElnkXv.png I have up to half a thousand blocks per day on the sites I visit

customize login links