OK this is rather simple, but very effective. You can use the Apache webserver htaccess control feature to limit access to the WordPress admin panel subdirectory and the wp-login.php file.

Lets sort out the /wp-admin control panel area first.
1. First ssh to your host, in this example I am use debian based (Ubuntu).
2. Change directory to /var/www/html/wp-admin
3. ls -la to list hidden files. Then nano .htaccess
4. The text file editor nano will load. Configure the .htaccess file like so:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Home address
allow from x.x.x.x
# whitelist Work address
allow from x.x.x.x
</LIMIT>

5. Replace x.x.x.x with your source IP addresses. The limitation here is you need a static address from where you’ll administer your WordPress site. However, i think this is a small adjustment to make considering the bot networks and automated attacks going on! I have set it for two trusted locations (home and work).

To do the same for the wp-login.php file:
1. cd to /var/www/html/
2. nano .htaccess and the edit or create the file – add the following to it:

# Limit Logon to Source IP for wp-login.php
<Files wp-login.php>
order deny,allow
Deny from all
# Whitelist From Home
allow from x.x.x.x
#Whitelist From Work
allow from x.x.x.x
</Files>

3. Replace x.x.x.x with your source IP addresses like you did for the /wp-admin directory, this one is based on a file list and specifically configured for wp-login.php

I hope this helps other WordPress enthusiasts keep the bad guys out!