First, thanks for the plugin. It works really well and has been a real eye-opener on the number of attacks we get.
Yesterday, we got around a thousand hits each on the same, non-existant usernames, but they all came from different IP addresses. Needless to say, my inbox got very full very fast.
Unfortunately, this had a DDOS-type effect in that it stressed our cheap shared-hosting setup, slowing our site to a crawl. To quickly mitigate this, I modified the plugin with an array of blocked users and modified the
is_login_fail_exact_match() to check against it and always return
TRUE on match.
This wasn't enough to ease the server load, so I moved the check into the
authenticate() function and simply
died if there was a match. That worked.
I realize this is hardly ideal. I know we don't want to let them know we are reacting to the attack, and I would much rather have a record of the attack. But this worked in a pinch.
My request is for an option to ignore IP address for a list of usernames, or always for non-existant users, and to somehow get them back to the login screen with as few resources as possible.
Thanks again for the plugin.