The solutions I found online did not work so I finally used the plugin Secure Admin IP and Disable XML-RPC to restrict access.

The below did not work for me but kept for reference:

Add this to the end of the .htaccess file for your wordpress site:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_ONE$
RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS_TWO$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

EXAMPLE:

!^4.2.2.2$
!^8.8.8.8$

Reference: https://themeisle.com/blog/whitelist-ip-addresses-in-wordpress/