Important: delete username 'admin' if you have it on your site. More than 90% of brute-force attacks try to crack the 'admin' username.
Top 10 most commonly used and worst passwords. Do not use them:
How does Security-protection plugin work?
The blocking algorithm is based on 2 methods: 'invisible js-captcha' and 'invisible input trap'.
The 'invisible input trap' method is based on fact that almost all the bots will fill inputs with name 'email' or 'url'.
How does Security-protection plugin work in details?
Two extra hidden fields are added to login, register and reset-password forms.
First field is the invisible captcha (copy and paste the code). Second field should be empty.
If the brute-forcer tries to submit the form, he will make a mistake with answer on first field or tries to submit an empty field and brute-force attack will be automatically rejected.
How does Security-protection plugin stop brute-force attacks?
If Security-protection check was not passed than it is brute-force request and the login attempt (or registration, or reset password) is blocked even if username and password are correct.
Plugin sends fake WordPress login cookies to the brute-force bot and redirects it to the admin section to emulate that the password is cracked and many brute-forcers stop their attacks after this.
It is really awesome :)
How to test what brute-force attacks are blocked?
You may enable sending info about blocked brute-force attacks to admin email.
Edit security-protection.php file and find "$secprot_send_brute_force_log_to_admin" and make it "true".
If this plugin does not help you to stop brute-force attacks - you can simply rename wp-login.php file for now and maybe this can help you to reduce load on your site. And also create empty wp-login.php file for not raising WordPress 404 error because it will start whole WordPress site again during each wp-login.php access.