There has been a lot of talks recently about WordPress sites being under brute-force attacks on admin login form by dumb bots. It’s mostly because a default WordPress install doesn’t have a lockout feature for the wrong password, you will need a plugin for that. I use Wordfence to lock out/ban any IP who had three consecutive wrong password in a row from the same IP. But it doesn’t tell me how many attempts were made from multiple IPs. To find that out, you can do this. (Assuming you have access to your Linux server)
:~# cat /var/log/nginx/access.log | grep "wp-login.php" | wc -l 431
What this does is checks Nginx access log to look for instances of “wp-login.php”. In my case, there were 431 attempts of unsuccessful brute force attempts.