a

Thank you for the response!

Instead of “easy” it should have said “better” 🙂

I totally agree with you that additional solutions like Jetpack are great. The problem is, you and I know this, but it’s not the default and thus many people will not opt to install these. The whole point is that by default WordPress is not protected and those sites are part of the security problem of the web.

I also agree with you that CAPTCHA and IP grey listing are not the perfect solutions, but now there’s no solution by default at all 🙂
Those were also merely suggestions, there are probably much better solutions everybody involved with WordPress development could think of together.

Something like adding small delays on login attempts would greatly improve protection already. For example, IP 123.123.123.123 tries to login 5 times within a 1 minute timeframe, it would get blocked for 1 minute. After which the user can try again.
This wouldn’t have too much of an impact on legit users trying to login and doesn’t totally lock them out.
This however would help making automated brute force bots way slower, as they are not able to continuously hammer the wp-login.php/xmlrpc.php, but are restricted to that same 1 minute timeframe with only 5 login attempts.