We have monitors that check our web and MySQL servers every 5 minutes so we have been well aware when DDoS attacks have been happening to our servers. We tried other lockout plugins, but they are completely useless against DDoS attacks. They seemed to like 2 of the 10 WordPress sites I manage...and WordPress versions doesn't seem to have any influence on what sites get hit.
I was actually able to test this plugin during an actual DDoS attack. Our web and MySQL servers were spiked until this plugin activated. Once activated, both servers returned to normal.
This plugin does exactly what it says. It locks your site completely down to where absolutely no one can login during an attack unless they have a static IP address and that IP address is listed in the IP white list.
It's a bit extreme, but extreme attacks require extreme security measures and I'd rather have to tell a customer to get a static IP address (for security reasons) than have to explain to them why their site is down. I set the lockout time to its maximum setting of 5 hours and the time between invalid attempts to 1 minute. I want things locked down ASAP when these %*#&#'s start hitting our servers.