Do not let your login form allow unlimited username and password attempts because this is exactly what helps a hacker to succeed. If you let them try an infinite number of times, they will eventually discover your login data. Limiting the available attempts is the first thing you should do to prevent that.

Two-step authentication

 

Also, by changing your passwords often, you further decrease any hacker’s chances of breaking into your site. Though, by “often” this does not mean every day once in 2-3 months would be enough. Diversity kills the fun for those who are trying to break in.