Protection from login, registration and reset-password brute-force attacks. No captcha.
If Security-protection check was not passed than it is brute-force request and the login attempt (or registration, or reset password) is blocked even if username and password are correct. Plugin sends fake WordPress login cookies to the brute-force bot and redirects it to the admin section to emulate that the password is cracked and many brute-forcers stop their attacks after this. It is really awesome :)
You may enable sending info about blocked brute-force attacks to admin email. Edit security-protection.php file and find "$secprot_send_brute_force_log_to_admin" and make it "true".
If all plugins does not help you to stop brute-force attacks - you can simply rename wp-login.php file (for example 'wp-login-new.php') for now and maybe this can help you to reduce load on your site. And also create empty wp-login.php file for not raising WordPress 404 error because it will start whole WordPress site again during each wp-login.php access. While wp-login.php renamed - users cannot login, register and reset password. If you want to have ability to login while you renamed wp-login.php file you should replace all 'wp-login.php' strings inside of the wp-login.php file to your new filename (for example 'wp-login-new.php').