Of course, there are many ways to defend against such tactics.
Wordpress blogs are often brute-forced.
But you can deploy mod_sec to stop this.
LiteSpeed has a built-in mechanism in the latest version to stop this.
BitNinja also stops this in its tracks.
CloudLinux Immunity 360 would also stop this.
We have other algorithms that spot this stuff and block users,
Of course, the WAFs stop many brute force attacks, not just WordPress.