A VPN would get around this again and again if you’re relying on the I.P. Have seen it many times with thousands of attempts. Check the Username exists then after repeated attempts lock the Account and mail the User automatically informing them. Then implement a procedure for Account recovery.
2 Likes
I forgot to add to the above, to include ReCaptcha with confirmation of the Users existence in the database, then you will see less brute force type events. Still not perfect but on the flip-side not too difficult to implement either…
1 Like