Hook to check a visitor’s IP address before showing him the login form

1.)
You could use login_init and $_SERVER['REMOTE_ADDR'] from PHP
https://developer.www.ads-software.com/reference/hooks/login_init/
https://www.php.net/manual/en/reserved.variables.server.php

2.)

Once I determine the visitor is an abuser attempting to brute-force the login form,…

If this is your purpose, I would recommend you just use a plug-in instead of coding a custom solution.

For example, in the plug-in directory, search “limiting login”
https://www.ads-software.com/plugins/search/limiting+login/

Thank you Steven…
Actually, I’d really like to do it in code rather than using a plugin because I’m already doing all kinds of checks on it once I have the IP address and I want to stick with those checks. I was hoping I could just bail out of WordPress immediately or do a 401 or similar …wouldn’t that be a reasonable option?

I was hoping I could just bail out of WordPress immediately or do a 401 or similar …wouldn’t that be a reasonable option?

You can use wp_die()
https://developer.www.ads-software.com/reference/functions/wp_die/

Yes, that seems to be working now. Actually I had an unrelated bug in my code that was preventing all this from working properly. Thanks again for recommending ‘login_init’ hook …it is working. I had been using the ‘login_form_login’ hook but ‘login_init’ makes more sense for this purpose.