Several years ago, after noticing the system overhead of the standard Joomla Web site administrator login page during a password attack, I added a secondary Apache password to the administrator page using a .htaccess file stored there:
AuthName "Secured Area"
Two passwords are now required to gain access, but the first one does not require launching PHP, so it consumes much less CPU time. For a microserver like mine (an Intel Atom CPU on a fanless Mini-ITX motherboard), that's a big deal. The gateway password also provides more security, much like disallowing root remote logins to a Linux server. I do this on all my servers - first login to a non-privileged account, then use su to gain privileges. An attacker must guess the non-privileged account name, then the password, and finally the privileged account (root) password.
Usually an attacker will try a few passwords and then go away forever. On May 11, 2016, I noticed that there were a large number of attacks from separate hosts. Each one would try to login using the user name admin and an unknown password (Apache does not save failed passwords). Since there is no such user, that would fail and the host would try five more times for a total of six.