How to defend against brute force attack on wp-login.php? [duplicate]

This question already has an answer here:

  • How to protect WordPress from brute-force attacks? 3 answers

Today our site is getting a lot of spam requests. Based on /var/log/nginx/access.log they look like a brute force attack:

103.129.222.98 - - [22/Jul/2019:19:32:34 +0100] "POST /wp-login.php HTTP/1.1" 403 1627 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 18.224.93.56 - - [22/Jul/2019:19:33:11 +0100] "POST /wp-login.php HTTP/1.1" 499 1626 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 67.205.140.232 - - [22/Jul/2019:19:33:44 +0100] "GET /wp-login.php HTTP/1.1" 502 1627 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 

There are so many of these, it is making it impossible to access the website. Presumably the server is overloaded.

How should we mitigate this attack?