When you think about the WordPress security, there's 1 important thing you should know:
IP addresses don’t matter and should not be used as the foundation of a WordPress security policy.
Read that again, because you’re probably so conditioned to think of IP blocking etc. that you believe this without even thinking about it.
Furthermore, if your website is being attacked by a distributed (meaning thousands of IP addresses) system of bots, blocking login attempts based on IP address is utterly futile, and only adds load to your server because of all the database writing and look-ups.
With Shield development, we took a step back, thought about the nature of the most recent attacks on WordPress. We discovered that IP addresses are not a sound foundation upon which protection should be designed.
That said however, we do use the connecting address as the basis for identifying verified users. But this is completely different since their IP address isn’t used to block, but rather accept and match a user session to a verified identity.
So, how can we then block all brute force WordPress login attempts and ensure that the identities of all logged-in users have been verified?
There is a Login Guard module available dedicated to preventing brute force hacking the login on your WordPress sites, and we recommend you enable all its features.
For example, Login Cooldown feature alone should be enough to block all brute force login attempts. It doesn’t use the database to store attempts and counts etc., or care about IP addresses, or anything like that. It’s very efficient.
Shield Security offers extremely effective protection against WordPress login attacks, and provides tried and tested methods for verifying the identity of users active on the system.
We’ve chosen to take a fresh approach to solving WordPress brute force hacking attempts, rather than follow the herd and create a copy-cat security system that adds weight and load to your already burdened WordPress system.