I just sent out the November reports for WP-Ensure.
There’s been a recent spike in brute-force attacks using actual usernames. Anyone logging in using a non-existing username can easily be blocked, but if there’s a real username or email behind it the bots know they are onto something and will keep trying to guess the password.
It’s a good thing we can limit the number of tries a bot gets before being blocked. Combined with Google ReCaptcha and enforced strong passwords, there will be enough for them to chew on for a while.
Sometimes the simplest way to throw bots off for a while is for site-owners to change their username (has to be updated straight in the database) and/or email address. This gives you a few months of peace usually, and any leaked usernames/emails are useless again.
If things get really bad, there’s always 2FA. It’s great that 2FA is becoming more mainstream but unfortunately for most regular users, it’s still too complicated. Tech-savvy users probably already have an authenticator app, but let’s face it. 2FA is a pain in the neck.
As a side-note, my phone took a dive into my aquarium a month and a half ago, and you can imagine the fun of trying to reset all my 2FA. If you’re accident-prone you might want to just keep an old phone on your computer desk just for logging in purposes 🙂