The excellent Limit Login Attempts wordpress plugin will detect failed logins and put up its armoury of defences. Nothing showed its usefulness than seeing the number of attempts it detected. However, the plugin still requires WordPress to handle the failed attempt and only login attempts via http and https are handled. XML-RPC attacks and Bot-related attacks need another solution.
For my setup, I only need admin login to WordPress from one IP address. This is where Cloudflare’s content distribution network and it’s Web Application Firewall can provide excellent protection.
The WAF is extremely easy to setup and all you need to do is add the IP addresses that you want to allow into a rule that will block access except for the addresses you have specified (see screenshot).
This will block not only brute force login attempts but also XML-RPC and related attacks from even reaching the wordpress server.
