Can I delete this or clear it?
Yes, you can delete the file, it’s safe.
Is it normal to have the file grow to this size?
It’s not normal. The file is used to store the store failed user authentication attempts AFTER they are sent to the inbox assigned to receive the email notifications.
If the file is not being automatically reset after the email, it is either because the login attempts are too many and your SMTP server is not able to send the emails fast enough.
Or because the number of attempts is at least one-less of the maximum that you defined in the settings page, per hour, the plugin assumes that there are not enough attempts to report a brute-force attack and so it copies the logs into the old file and resets the main one.
This is not a bug per se, the plugin offers an option in the settings page called “Data Storage” that allows the admin user to reset the content of the security logs and cache created by the plugin. I will mark this ticket as resolved. Feel free to re-open if you need more information.
