Add this to the top of the .htaccess file

## Bruteforce protection
## Block wp-admin, wp-login.php, xmlrpc.php POST verzoeken
## Whitelist IPv4 addresses online 9 (replace 1.2.3.4)
RewriteEngine on 
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] 
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ 
RewriteCond %{REMOTE_ADDR} !^1.2.3.4$ 
RewriteRule ^(.*)$ - [R=403,L]
Code language: PHP (php)