Blocking bruteforce attack on WordPress’s wp-login.php using Nginx’s Limit Request Module. Also includes whitelisting of IP example and test-cases.

This works without any WordPress plugin.