This is a wrong approach, i don't want anyone to mess with my websites, especially with passwords etc etc.
Also many WP are public for registrations, or have Editor accounts.
There are PLENTY of modules that protect WP-Login and work great. Why not installing something like that and be safe.
I don't get it.
We aren't just going around throwing it on sites willy nilly.
Here are some examples from customers we've contacted when we put this in place:
Of the last 7406 page views, 7383 have been to your wp-login.php.
Of the last 5642 page views, 3855 have been to your wp-login.php.
Of the last 4944 page views, 4730 have been to your wp-login.php.
Of the last 15325 page views, 15277 have been to your wp-login.php.
Of the last 30614 page views, 26851 have been to your wp-login.php.
Those are real values taken right from the last 5 tickets we opened with customers concerning their sites being under attack. We're talking about requests over minutes - not days, weeks, or months.
It's enough that if action isn't taken it will take your site offline.
There are two issues facing most brute-force plugins:
1. They tend to require multiple failed attempts from a single IP. The problem? Most of these attacks are done from 100,000s of individual IPs. Have 20,000 attempts to log into your wp-admin? You'll see 20,000 distinct IP addresses.
2. They all require a fair bit of CPU as far as PHP and MySQL that makes them work. So yes - maybe they'll keep your login safe - but they'll potentially take your site down under the load of such a large attack.
Now distributed brute force protection is great - the only problem is that you also face the CPU and possible network load of such plugins. Get hit by 100,000 bots in 5 minutes? You're probably still going to be offline even if they don't get into your WP-Admin.
Password protection [or] simply limiting access to wp-login.php by IP address are ultimately the best ways to fend off attacks if it is possible for your particular site - if they can't even post data to the file, they stand no chance of ever getting in. There are, obviously, sites where this won't fit and if we end up putting this protection on such a site and the site holder lets us know we'll remove it no problem and will also make it so that it can't happen again but, that said, if they don't do something on their own to prevent it they're going to face further problems.