You can read this my article for hiding your Joomla back-end or use my plugin called V4 Security (support Joomla 3.x, 2.x). You can download it here. Below are its features and illustrate images.
1. Backend Protection
You also can set a Redirect URL if someones go to the URL your_site/administrator (without token). I think you should set an URL of a 404 page here.
2. Login Attempts
If you enable this function and specify Max attempts number here (e.g. 3), any user will be locked after 3 times of failed login.
3. Password Complexity
Hope this plugin can help you have well sleep when running Joomla -:)
Do you have any things else? Any comment is welcome.