I need to study the .htaccess code that BFP inserts, but I am getting some really weird results.
Even with this plugin, I’m getting notices from limit login attempts that my threshold was being exceeded, which is something I don’t understand. Isn’t this entry in my .htaccess supposed to block brute force attempts *before* WordPress even loads?
I have also tried whitelisting my IP in .htaccess — with the same result. The 50 times a day notices are down to three or four per week, but still, how is this even possible? Is there a login back-door somewhere in WordPress?
This BTW is on all of my sites. Here is a link to one:
https://causesofeatingdisorders.org/