Do you know if the login attempts are CAS logins? The feature should apply only to WordPress logins (POST to wp-login.php).
Also, it doesn’t actually block the traffic from the IP address, it just stops WordPress from processing their login attempt. (You’ll need something like fail2ban on the web server if you want to get firewall rules created to block nefarious traffic.)
Here is how the plugin institutes lockouts:
* Attempts with a blank username or a blank password are ignored
* If the login attempt is for an existing username, it gets the following user meta for them: auth_settings_advanced_lockouts_time_last_failed and auth_settings_advanced_lockouts_failed_attempts; if the login attempt is for a nonexistent username, it gets those values from site options (wp_options table)
* It checks those values against the plugin options for Limit invalid login attempts and if a lockout is reached, it prevents WordPress from checking the password they provided against the value in the database (instead it just sends them back to the login page with an error)
In practice, this basically means there is a global counter for all nonexistent usernames. So if there are multiple bots trying to log in, once the counter for them is surpassed, they all get blocked for the time specified. For existing users, the block only applies to attempts on that username (so bots hammering a specific username will also block legitimate attempts on that username, but won’t affect other users logging in).
If you have a plugin like Simple History installed, it should stop logging the failed logins once the lockout is implemented. (So anything that shows up in Simple History are attempts that Authorizer is not blocking.) It would probably be nice to have Authorizer hook into the Simple History logger and report when it’s blocking!
