Limiting brute force attacks to WordPress

I use paid plugins for security and I limit access to IP ranges, but still I get people attempting brute login attacks from the whole world. How come?

Photo by Elyas Pasban on Unsplash

This is due to a feature for accessing via apps which has been replaced now by an API ( I merely reference hostinger )

So I’m appending this type of stanza to the .htaccess file on the top level directory.

<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Or as the article says get a plugin to disable it if you are not a Sysadmin.

#SysadminsHateWordpress