Brute Force Protection
If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn't care how many attempts a user makes to login. It will always let you try again. Enabling login limits will ban the host user from attempting to login again after the specified bad login threshold has been reached.
Network vs Local Brute Force Protection Local brute force protection looks only at attempts to access your site and bans users per the lockout rules specified locally. Network brute force protection takes this a step further by banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of other sites that have seen a similar attack.
Get your iThemes Brute Force Protection API Key
Simply enter your the email associated with your iThemes account and your API key will be generated. Don't reuse the API key on other sites. Just re-enter your email and one unique to that site will be generated.
Enable iThemes Brute Force Network Protection
Use the iThemes IPCheck Service to ban IPs reported as a problem by other users in the community.
Enable local brute force protection
Enable local brute force protection.
Max Login Attempts Per Host
The number of login attempts a user has before their host or computer is locked out of the system. Set to 0 to record bad login attempts without locking out the host.
Max Login Attempts Per User
The number of login attempts a user has before their username is locked out of the system. Note that this is different from hosts in case an attacker is using multiple computers. In addition, if they are using your login name you could be locked out yourself. Set to zero to log bad login attempts per user without ever locking the user out (this is not recommended)
Minutes to Remember Bad Login (check period)
The number of minutes in which bad logins should be remembered.
Automatically ban "admin" user
Immediately ban a host that attempts to login using the "admin" username.