While Chapter 5, Login Lock-Down concentrated on securing administrative access, there are a couple of additional safeguards that we can establish for regular user access too.
Jo
han Eenfeldt's plugin is a must-have, both for subscription sites and for non-subscription sites where, for whatever reason, you do not protect your wp-admin
account using Apache's access or authorization modules:
Limit Login Attempts – http://wordpress.org/extend/plugins/limit-login-attempts
It does just what it says on the tin, limiting the number of times someone can attempt to login before locking them out temporarily. Put that another way: it prevents brute forcing.