WordPress brute-force attack advice (question)


As OLS (contrary to LSWS) coming without brute-force attack protection and I would like to avoid WP security plugins, I would like to know is it any idea about other options to apply WP BFA protection?
Additional question.

How to limit reCAPTCHA only for WP login page? As I see from docs, it should be some rewrite rules, but it is not clear from docs, how it should to look and where to add (console or .htaccess).