If for some reason you aren't running the full Wordfence plugin, use Wordfence Login Security for robust, layered protection from brute force attacks.
Wordfence Login Security contains a small subset of the features available in the full Wordfence plugin. Looking for comprehensive WordPress security?
Two-factor authentication, or 2FA, adds a second layer of security to your users' accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can't log in.
XML-RPC is an interface that allows WordPress to communicate with other applications. It is, unfortunately, often overlooked by WordPress users when discussing login security. "Just move your login page and you're secure!" they say with bravado. Unfortunately, they are often wrong. In fact, the majority of login attempts blocked by Wordfence hit XML-RPC, not the site's login page. Wordfence Login Security lets you secure XML-RPC by protecting it with 2FA or disabling it altogether.
In recent years, the size of botnets available for attackers has exploded. In the context of WordPress login security, this means that attackers have more compromised machines and IPs to use in their attacks. By spreading attacks across much larger pools of IP addresses, they are able to dial the number of login attempts made by each IP address down so far that they evade even the most aggressive login attempt limiting rules, at least at the site level. Wordfence Login Security lets you enable CAPTCHA on your login and registration pages, adding a critical security layer to your site.