Set up an SSH auth key login include a passphrase. The private SSH key (the part that can be passphrase protected), is never exposed on the network. The passphrase is only used to decrypt the key on the local machine. This means that network-based brute forcing will not be possible against the passphrase. And I would do what janiosarmento suggested changing the wp-login.php so they can't even attempt a brute force on WordPress login.
↧