To be perfectly frank, any site on any server, with any plugin or .htpassword, can STILL be hacked.
You protect wp-admin, and that’s great, but the real risk is your wp-content/plugins and wp-content/themes, where your themes and plugins have files that will always be (for necessity) publicly accessible, and can possibly write to the DB directly.
If you don’t want 100 login attempts, use Extra Web Security. We tied in mod_security to fail2bans to detect how many time people are hitting your login page and block them. Also use the .htaccess rules I suggested, they stop people from being able to login remotely, which means they have to use scripts that are easier for mod_security to catch.