The iThemes Security PRO NL plugin offers five ways to prevent brute force attacks on your WordPress website:
1. 404 Detection: Bots and hackers often try to access non-existent pages or files on your website in search of vulnerable plugins or themes. iThemes Security PRO NL tracks the number of attempts an IP address (bot/PC) makes to retrieve unavailable pages or files. After a certain number of 404 errors, the security feature denies access to the website temporarily, and if the attempts continue, the IP address is blocked in the .htaccess file, preventing access to the entire website.
2. Brute Force Protection (Automated): This feature focuses on the login panel. Failed login attempts are recorded, and after a certain number of incorrect login attempts, access to the login page is temporarily denied. You can set a maximum number of attempts and the time required before new attempts are allowed. Afterward, the IP address attempting the logins is blocked, preventing continuous login attempts through brute force.
3. Disabling XML-RPC: XML-RPC can be exploited for various login attempts. This feature allows you to disable XML-RPC via the plugin if you do not use Jetpack or external apps to access WordPress.
4. Absent Mode: If you typically update your WordPress website only during certain hours of the day, you may not need the login page accessible 24/7. The Absent Mode feature lets you set a specific time when the login page is or isn’t reachable.
5. Blocking Brute Force Attacks per IP: The plugin provides a field where you can enter IP addresses to block. If you discover many brute force attacks coming from specific regions or countries where your website’s target audience is not located, you can add those IP addresses to the ban list, preventing them from launching brute force attacks on your website.
For more information about this plugin and how it prevents brute force attacks, you can follow the provided link.