No need to tell you to use google captcha on all forms, but still people keep trying.
You can always find a plugin to get the job done, but manually you can do this too.
- Generate a .htpasswd file using htpasswd generator.
- Do not place this file in the same location as your .htaccess file, suggested one folder up
- Update .htaccess with folloing code
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
</Files>
You can use the same method to keep away unwanted unauthorized traffic and SEO bots from your staging sites.