Generally this is not much of an issue a host can help with. An analogy is the lock on the door to a brick & mortar store. You can’t really turn to the realtor when people walk in off the street and try to pick the lock on the door, or that you have somebody betraying your trust with the keys.
One thing you can do is monitor your log files and note that IP address of entries where someone appears to be trying different passwords. Then in an .htaccess file you may put:
deny from a.b.c.d
And the person will automatically receive a “Forbidden” error page. If it seems to be a similiar block of addresses, you may shorten it to a.b.c or a.b if necessary. Note this may block out legitimate visitors as well if you are not careful.
This also works well with anonymous surfing services that always send requests from the same IP address.