Webmin by default allows root access to a system, and by default allows terminal access to the root user. Care should be taken to properly setup Webmin to disable the root user.
Enable Two-Factor Authentication
TOTP authentication can be enabled without installing any extra modules. Enable it by allowing TOTP Authentication in the Webmin configuration. Then, for each user enable TOTP authentication separately and save the resulting QR code (authentication key) into a password manager like Bitwarden or Microsoft authenticator. Make sure to test your two factor authentication for each user before you continue. Root should probably have this setup before you disable it.
Disable the root user
The root user can be disabled by specifying the password source, which by default is PAM. By disabling the password for root, you can disable this account. You can also specify a fixed password. User accounts can be individually setup to accept passwords to PAM.
Fail2ban functionality
OOTB, Webmin has a fail2ban like functionality where if a password fails a certain amount of times in a specified period, the user is automatically disabled for a short while. This is fine for basic purposes, however it does not replace disabling a user.