Brute force attack aims at being the simplest kind of method to gain access to a site (wordpress or not). It combines usernames and passwords, over and over again, until it gets in. That is the main reason why you should always use secure passwords and avoid common usernames (admin, siteadmin, etc…)
The simple way to protect your WordPress site from brute force is to lock the access to wp-login.php file with htaccess.
<Files wp-login.php> Order Deny,Allow Deny from all Allow from x.x.x.x Allow from y.y.y.y </Files> |
You can add as much as you want IPs inside the Files block and all other IPs will be blocked with Error 403 (Forbidden error).
Unfortunately this is not the nicest way because IPs you’re accessing from are not always static…