Hacking programs to launch automatic brute force attacks against your WordPress wp-admin panel to try and guess your password are easy to find and use, any kid can download them and fire it up against your blog. The following WordPress plugins will limit the number of password tries that someone can attempt and stop brute force attacks.
Besides the plugin, other measures you should take to protect your WordPress login credentials are disabling the default “admin” username and make sure that you have a long strong passphrase that is not used anywhere else. A free password manager like Dashlane or KeePass will help you forge and store passwords securely.
Wordfence: A very complete security WordPress plugin that not only limits brute force attacks but also scans your blog checking for default WordPress code changes and vulnerabilites. This a full security suite WordPress plugin with a wealth of real time information about your visitors and attackers, from computer IPs automatically resolved to a country, to the usernames they have tried and much more. A little heavy on resources in comparison with the other plugins.
Login LockDown: The plugin I am using in my blog, it will limit the maximum login retries to three and once somebody goes over that limit, time period restrictions come into effect, starting with a 5 minutes delay before the next try is possible, delays keep growing until you are finally totally locked out for one hour. Lock out time settings can be changed. I would also advise you to enable the lockout of invalid usernames in settings.
Login Security Solution: I tried this plugin and I found it more suitable for blogs with multiple users. This plugin is perfect to force your users change passwords every few months and enforce password strength rules, but if you are the only person with access to the blog, like me, most of the features of this plugin will not be of much use, but it will still limit login attempts and protect you like similar plugins.
Cerber Security: A WordPress plugin that can blacklist and whitelist IPs in addition to protecting from brute force attacks limiting the number of login attempts. Other security features include blocking access to pingback, which can be used to launch denial of service attacks, blocking a whole network from accessing the website, create a custom login URL hiding wp-login.php and adding antispam reCAPTCHA in registration and comments form.
Jetpack: A full suite WordPress plugin for search engine optimisation that in addition to blog themes, site status and other SEO tools, it also includes brute force protection and two factor authentication. The free version of this plugin covers limiting login attempts, but for further options you will be asked to pay for the premium.