It’s something that is often overlooked, but for security and speed, you should IP restrict your /wp-login.php file. I’ve had many sites go down because there’s someone trying to brute force the admin login, and even if it doesn’t take them down entirely, it tends to slow them down.
With any finely tuned site, users are mostly hitting static files. CSS, JS, images, cached pages, and so on. When they hit /wp-login.php, it has to do a ton of stuff on the back end to process it, and if someone is pounding it, your site will suffer.
Just add this code to an .htaccess file in your WordPress root directory, changing out xxx.xxx.xxx.xxx for your IP:
<Files /wp-login.php> order deny,allow Deny from all allow from xxx.xxx.xxx.xxx </Files>