Done. You can download the development version of the plugin from here [1] and enable the wrong password collector from the settings page, be aware that this is not a good idea and I explained why here [2] but I try to develop every feature request, so enjoy it.
As for the 2-Factor Authentication, I will need to take a closer look to the integration with other plugins because it is probable that I can not hook the login action to retrieve the credentials used during a authentication, but I am not sure about it, I will investigate.
[1] https://downloads.wordpress.org/plugin/sucuri-scanner.zip
[2] Sucuri: Why store failed passwords is bad
Thanks! I’m just very curious about how intelligent the guessing gets. Most of the time I see ‘admin’ as the account being bruteforced, but there was one interesting day when they tried “developer”, my domain name, and some other generic usernames.
After investigate this with six different services (including the one mentioned in your original message) I have found that all of them use a different approach to authenticate a user, very similar between them but at the end different, this make things difficult for me to give support to every service that provides two factor authentication.
They basically check with their own API services if the credentials are valid and if the random number generated on time during the login is the right one. Then (if the previous verification passes) they create the cookie that force the session in the WordPress admin panel. This means that (in most cases) the login hook will not be triggered, and I will not be able to determine if the login was successful or not.
(Similar to another feature request from other user here).
