wp-login.php in strange location [closed]

I have a problem, in my wordpress the wp-login appears in a strange location myweb.com/covid-19/wp-login.php and it should be myweb.com/wp-login.php. I have searched it in the source code and in the database to eliminate it but I have not been successful.

disable all plugins and the link disappears, but after a while it reappears.

I have performed the following tasks: scan virus and all have given negative

enter image description here

Any ideas?

Multiple wp-login.php attack in shared hosting

I am hosting more than 20 WordPress website in a single server. The server has other cms based websites too. For better security, I have used cloudlinx cagefs which encapsulates each customer. Even if one WordPress site gets hacked then there is no way that hacker will be able to find other users in the server. S/he can’t even see other users by reading /etc/passwd. Although I am using such security I see lots of attack on WordPress websites. My question is how is it possible. I know there are sites like yougetsignal which can disclose sites hosted in same IP address but in my case it also does not show other websites. How does hacker able to find other WordPress sites in my server and how is s/he attacking those sites?

How to defend against brute force attack on wp-login.php? [duplicate]

This question already has an answer here:

  • How to protect WordPress from brute-force attacks? 3 answers

Today our site is getting a lot of spam requests. Based on /var/log/nginx/access.log they look like a brute force attack:

103.129.222.98 - - [22/Jul/2019:19:32:34 +0100] "POST /wp-login.php HTTP/1.1" 403 1627 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 18.224.93.56 - - [22/Jul/2019:19:33:11 +0100] "POST /wp-login.php HTTP/1.1" 499 1626 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 67.205.140.232 - - [22/Jul/2019:19:33:44 +0100] "GET /wp-login.php HTTP/1.1" 502 1627 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 

There are so many of these, it is making it impossible to access the website. Presumably the server is overloaded.

How should we mitigate this attack?