Login Lockdown is an ingenious plugin that helps ward off brute force attacks. It works by temporarily blocking users by their IP address if they fail to login X amount of times.
Out of the box the default settings are pretty good but I still recommend you set the Lockout Length to as high as you feel comfortable with. The longer malicious users are blocked from the login page, the better.
It’s also a good idea to limit the Max Login Retries. This is easier if you’re managing passwords with software because you’ll never enter an incorrect combination.
Lastly, there’s a feature to Mask Login Errors, which means you won’t have to add the code to hide login errors manually.
[...] Note: This can be done automatically with the Login Lockdown plugin. [...]