I have tested the wordfence plugin on this site and it does work, locking me out of the admin login page and then showing my IP in the blocked connection page. However, last night we had an IP attempt to login something like 4k times in a half hour and we received a massive amount of e-mails from WordFence about blocking their IP from login, but it didn't actually block the IP or add it to the blocked IPs from logins list. I eventually blocked it at our edge router.
Can I be helpful in helping debug this situation? Perhaps there is a string that they are able to use that WordFence is not handling? From what I can see, it doesn't look like WordFence parsed the IP correctly since from the logs I see this:
18.104.22.168 - - [09/Sep/2012:20:06:31 -0400] "POST /wp-login.php HTTP/1.0" 200 1354 "http://www.oursite.coop/wp-login.php" "Mozilla/5.0 (Windows; U; Win
dows NT 5.1; ru; rv:22.214.171.124) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
And the messages from WordFence (the time appears to be off by 4 hours -- the date/time of the e-mail sent shows it matches up with the alerts). I don't see any instance of this IP below in the access logs:
This alert was generated by Wordfence on "Our Site at Monday 10th of September 2012 at 12:06:10 AM
A user with IP address 10.6.11.135 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 4 User IP: 10.6.11.135