Any WordPress site is potentially vulnerable to a brute force login attacks. Brute force login attacks occur when an attacker continually tries different username and password combinations from a pre-set list (think password1, password2, password3, etc.). The attacker will continue trying different login combinations until one works. Most brute force attempts are automated. There could be an entire botnet attempting to brute force login to your site.
WordPress itself has no built-in protections against brute force attacks into a WordPress admin area. A website could theoretically have brute force login attempts made against it for days. This dramatically slows down the responsiveness of a website and can lead to a poor user experience.
To help combat this, install the free WordPress plugin BruteProtect. BruteProtect installs in less than a minute and will protect your site from malicious login attempts. BruteProtect has been installed on over 100,000 different WordPress sites and continues to improve. Check out their site here: https://bruteprotect.com/.