Good point Hearth about working with the .htaccess files. I'd offer that if anyone is serious about doing WP security, they need to get comfortable with editing and backing up their .htaccess file(s). Me, I keep multiple and current backups of .htaccess, and can restore or mod in minutes using FTP client. This has saved my behind dozens of times. It's how I fixed things when Falcon didn't work.
Along with that, it bums me out when I hear a plugin leaves traces that are hard to find and remove. If that's truly the case with iThemes, then it is worthless in my opinion. First step for a plugin is to behave.
I do all my country blocking manually (cut paste from countryblock websites), which is one reason I'm looking forward to Wordfence, as I'd much prefer to just click on a checkbox to block countries irrelevant to my blog where attacks are coming from.
Thanks for the hint about caching. Next time I try Falcon I'll remove all my caching stuff from .htaccess.