When I check my nginx access.log there are requests (GET request followed by POST) every two minutes on /wp-login.php.
Then I log those POST requests (changing login page to empty page and save POST requests to file). The request contains login credentials, with correct username and wrong password. Those requests didn't stop even the response is empty page (may be a script).
Then, I deny that ip address on nginx config. In the next day, the same happens with different IP (but same country).
What bugging me is how that client knows my admin username? Is it common for wordpress site to be like that? Because it's my first time to have wordpress write on real server.