Every day I open my email to find at least a dozen (usually more like 2 dozen) login attempts from different IPs on a site I made. They seem to keep going until they're locked out, then switch IPs. I'm blocking each IP as it locks out, but it doesn't really matter, since they just move on to another one straight away.
I'm using the Limited Login Attempts plugin and I had so many login attempts it upgraded me to the premium version for free, but it only gives you 1,000 failed logins a month before it reverts you to the standard version – I reached this in around 3 days.
It's only a small site for a local church, I don't know why it's being targeted. Limited Login Attempts is keeping them all out so far, but it's making me nervous. Is there anything else I can do to stop it?
Sure, presumably for a website the public don’t need to log in, so take the site “offline” and publish a static copy. Then there’s no longer anything to log in to, you won’t need to pay hosting fees (static hosting is free), it’ll be much quicker and it won’t fail after a plugin update. 😉
Blocking IPs is usually ineffective. Use strong unique passwords, use 2fa on all admin level accounts, keep software stack updated, don’t keep unnecessary plugins around, replace plugins that haven’t been updated in a year, add Cloudflare to the mix if possible, etc. If you’re the only one logging into the admin area, you can also put wp-login.php behind http authentication. If it’s a VPS or dedicated server, you can use crowdsec to prevent bruteforce protection at firewall and web server levels (much faster and more efficient than any WordPress plugin).
Login attempts are not a cause for concern on their own, unless they’re happening in the thousands or more every day, which can put unnecessary strain on the server. If you implement some of the above measure your site will be safe and brute force attempts will also be blocked.