I'm getting attacks at wp-admin from numerous countries and IPs. When I get a notification from Wordfence that there has been an attack, I blacklist the originating country from the WP backend. Then I get more attacks from other countries. Should I keep blacklisting countries, or try another method?
(Already in place: good password, not an obvious login name, 3 failures, 3 failed forgotten passwords, 4-hour lockout.)
Thanks for any suggestions.