Like many WP users, we're trying everything we can to stop brute force login attempts (we run a lot of WP sites). We were already using the Limit Login Attempts plugin, which helps but doesn't prevent these attacks, before finding yours. We tried your plugin on a couple of sites, where we cleared the previous login attempts list in LLA to 0. After one day having moved the login URL with your plugin, there have already been botnets that have found the new URL. VERY disappointing. Thought you would want to know.
BTW, does anyone know how to *permanently* block IPs from any access?