WordPress brute-force attack advice (question)


As OLS (contrary to LSWS) coming without brute-force attack protection and I would like to avoid WP security plugins, I would like to know is it any idea about other options to apply WP BFA protection?
Additional question.

How to limit reCAPTCHA only for WP login page? As I see from docs, it should be some rewrite rules, but it is not clear from docs, how it should to look and where to add (console or .htaccess).
In fact, OpenLiteSpeed+LiteSpeed Cache+WordPress+CloudFlare is a very good security solution! It is recommended to try CloudFlare!
My blog: https://www.imydl.com has been under constant DDoS attacks since last year. With CloudFlare, I can basically ignore all DDoS attacks!