H1cH4m

you will find it in the htaccess file

i have the same problem with 4.0

also BruteProtect plugin can be bypassed if someone programme a script for brute forcing and using a proxy each time he get banned

well , to secure wp-login.php is easy , just put a firewall , but the problem isl in xmrpc.php , people use it to brute force using POST method , also if i secure wp-login.php and somebody use xmlrpc.php and get the user and password , what he can do with it ?