Just a reminder: WordPress automatically uses the user name “Admin” when it gets setup.
If you have that username in your ‘Users’ list, change it or delete.
Malicious people constantly look for WordPress sites and attempt to login via that user using a variety of passwords.
I use a plugin called Limit Login Attempts to restrict this kind of attack. I have had over 200 attempts to access my site.