An easy way to tighten security for the login form (wp-login.php) on your site is by restricting access to it. This way people won’t be able to brute-force it. Simply beceause your Blog won’t allow access to it. I’ll show you how to set this up, using the IIS rewrite module.
It’s actually pretty simple. All you need to do is block all access to your wp-login.php file. This way, people won’t be able to access it, or brute-force it. When we set this up there will be one downside though: you also can’t access your admin panel if you restrict all access to it. Lucky for us the Rewrite Module allows us to set up some conditions for this block.
We use two conditions for this rule. The first is based on the URL. Basically we tell the Rewrite engine to do it’s magic on requests to the wp-login.php file. The second condition we set is to exclude some specific IP’s from this rule. This way we can deny access by default, except for those we allow to login.
Is it really that simple? Yes it is :)