There's a lot of tutorials on securing HTTP servers - including forcing SSL, deploying mod_security2, mod_evasive, etc (All of which are worth doing), but platforms like Wordpress and OpenCart will attact automated login attempts no matter what you do - they're popular, frequently out-of-date and often have weak passwords. Bots will seek out these installations and start harassing your server to try and get in, wasting bandwidth and CPU time.
I've taken to forcing Cloudflare bot checks on ALL requests to admin routes on sites running on these platforms with the below firewall rule:
This quick solution throws up an immediate roadblock to any automated attempts to access admin routes. It is a minor inconvience to end users to have to complete the CAPTCHA each session but acts as a good first defence against malicious requests. This rule also throws up a challenge for anything with a threat score over 10 - I will generally outright block anything with a threat score over 50.
I will often also consult with the client about which countries they will sell to. Many small e-commerce sites already won't do business with people in certain countries due to a high likelyhood of non-payment or claims of parcels "not arriving" when sent there. A white-list is built of countries the client does want to sell to, and the rest are completely denied access to the site with a second Cloudflare firewall rule, further reducing the sources of potential malicious traffic.