A plugin which I always install on websites now is Limit Login Attempts Reloaded (there’s an earlier one, Limit Login Attempts, which hasn’t been updated for some time). As well as doing what it says, it also gives visibility to how hard the website is being hit by login attempts. This site often gets targetted and yesterday there were more than 1200 failed attempts, which have dropped down to less than 100 today. I guess this is happening on every website. It reinforces the advice to have a strong password.
Most login attempts use the author slug as username so I also use the Edit Author Slug plugin, which separates the author slug from the username. (It seems to be possible to find the author slug from a post.) This is best done when the site is first set up; once posts have been made I don’t think the slugs on existing posts are updated so it’s better to change the username by directly editing the database using phpmyadmin. This provides one more barrier to any hacking attempts.
The only time I’ve had a successful hack was back in 2017 when there was an error WordPress, in the REST interface, and I hadn’t installed updated WP as soon as it was released.