Hackers will try to gain access to your website through bruteforce and or other techniques. It is good practice to observe the following:

1. Password Policies - Strong password policies is a must. This includes length of password and incorporating numeric, alphanumeric and special characters in the password. Avoid easily guessed passwords or passwords that could become suseptible to dictionery attack.
2. Lockout policies - These policies are advisable especially against bruteforce attacks. As a general rule of thumb it is advisable to have a minium of a 3 failed attempts lockout for an extended period of time.
3. Recaptcha - A Recaptha is helpful in the combat against automation attacks and bots. A simple recaptcha to incorporate into your website logins and forms is the Google Recaptcha.
4. Forgot passwords - This flow helps you to reset your password at a time when you cannot remember the password you used when you created your account. Test the flow periodically to ensure it is working 100%.
5. Two Factor Authentication (2FA) - Whilst they can be irritating and cumbersome they are an essential tool to use in terms of website security.