There has been quite a rash of this kind of distributed brute force login hacking crap lately. Enough so that my hosting company sent out an email to all customers noting that they really have no other option than to block access to websites coming under attack. They further note that the only real solution is to use a plugin that renames the wp-login.php file.
Hoping that maybe Wordfence is an effective countermeasure, I asked them their thoughts on that. They basically said no, it's not. Wordfence might do well against a single IP barraging a site with thousands of login requests, but is absolutely ineffective against thousands of IPs (a botnet) sending a single login request. Since the latter is the rule more than the exception, they maintain that a plugin to rename the wp-login file is the only real way to stop the attack from ever happening in the fist place.
So my question is, would Wordfence please consider building this into your already exceptional plugin?
My concern is basically plugin bloat and the additional security holes so many plugins may present when some are not coded or updated to best practice security standards. And when our sites are bogged down executing so many security plugins, the hackers have effectively scored a secondary victory. If they can't brute force their way into our sites, they'll make our sites sluggish from all the countermeasures we must employ. This has to stop somewhere!
Thanks.