I think different admins have different experiences and so different needs, and that Login Security Solutions nicely meets the needs of a significant set of admins.
My experience is that I have never had a user that required 3 times to get their login credentials right, so I have much less concern about blocking legitimate users than some others who have a different experience.
My experience is also that the overwhelming proportion of “bad” login attempts are attacks conducted by bot hosts, many of them bizarrely stable (bizarre because I would have thought that attackers would be shut down quickly by their ISPs, but no, they can live on the same IP even when they are known bot hosts, esp. Russia, China and Korea).
Most importantly, the attacks almost invariably are sourced from servers, not from consumer IP addresses. Since my web sites offer nothing that should invite another server to make a connect, I have no concern about them being unable to successfully connect to my sites. I do not want to block a server for some number of hours, I want it blocked forever.
The concern about innocent victims who have been infected or hijacked just doesn’t enter into it, because the infected source is almost always a infected web site, not an infected personal computer.
So “block” in the sense I have been using it is not to block the user but to block the IP permanently and this is the central difference between the LSS approach and some others.
LLA effecively allows a permanent IP block by setting the time to 9999 hours (2.3 years), such that the blocked IP never gets to the login screen at all. So a blocked IP does not get a chance to the “Check Authentication process.” <–Am I wrong about this?
Now, all of that said, I have had the best possible solution brought to my attention by a user “So_about_that” from Spam Security Forums:
ZBBlock
Using its custom signature rules, I do an “instaban” (immediate permanent IP block) on specific user name attempts, notably “admin” which has not only taken care of 100% of the login attacks against my sites, but has reduced the number of attempts from several dozen per day to a handful per week. It *appears* that bot writers are detecting ZBBlock and removing the hosting site from their targeting algorithms.
ZBBlock is much more capable than just dealing with login attempts and has an active malicious IP detection and blocking system. It has also allowed me to create a rule that eliminates login username enumeration that is hard coded into WordPress.
I still use LLA for potential login attacks that do not use one of the forbidden user names. But since installing ZB, LLA has not been exercised on a single occasion. It has also allowed me to be more charitable toward clumsy or forgetful users by raising the failed attempt to the 4 tries so often cited, since I have confidence that ZB is taking care of the great majority of actual attacks.
I also use http BL, Akismet, some special htaccess rules and run a ProjectHoney trap. None of which have had anything to do since installing ZB. So ,I strongly recommend ZBBlock to all WordPress admins. It’s free, it has great user forums and is blessed with a developer who shares one characteristic you clearly have: active and interested in his code and the users of his code.
The only thing missing is for a WP plugin developer to write a plugin to automate the ZB install and update it when WP core is updated. (ZB is not WP-specific, working on all web apps that use php, so the author who does not use WP himself has no reason to write such a plugin himself).
For the record, if I was starting over and didn’t have ZB, I’ve been persuaded that LLS is a better option than LLA, almost entirely from following the two support forums. Even given the trade offs I mention above, it seems to me that the most critical factor is that Limit Login Solutions is simply better code. When dealing with security hardening, that counts a Lot.
