I admin a server with lots of wordpress installations on it. Searching a solution to prevent high CPU on bruteforce attacks, this make the server unusable some hours a day.
These are the targets:
I wrote a WordPress plugin which you will probably find helpful.
Bad Behavior has a good track record of stopping these sorts of brute-force attacks. It’s sort of a minimalist web application firewall which blocks link spam and some other malicious traffic very early, before all of WordPress is loaded, saving CPU and other resources. (I say minimalist because what can be done only at this layer is minimal compared to what you can do in the web server or even with a separate appliance, though it was designed for people with no other option.)
You’ll find it in the WordPress plugin repository.
Since you run the server, you may also want to use ModSecurity with the Core Rule Set. Many of Bad Behavior’s rules are reimplemented here (look for my name and/or Bad Behavior’s name in them) and the ruleset also contains many other rules which may be helpful to you.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.