In the last 2 months we had a lot of brute force attacks using different usernames
What is more problematic is that 3 weeks ago i changed the Admin username, and 1 week later they start hammering new username as well. also the bruteforce is a clever one as they using multiple IP's to try passwords they try probably 30 to 60 an hour of different users.
What have i done:
i had used .htaccess to block access to wp-admin folder adn allowed only from one IP
also integrated CAPTCHA on Admin login so robots can not try to log in the thing is wordpress must have may ways an admin can log in as wp_admin is not accesible i sill get from sucuri plugin logs of failed logins.
we using the website for advertising only no bloging or super hi tech stuff. what else is to block or disable to stop this attacks from happening?
any help appreciated.