IMHO you don’t understand how plugin works.
Plugins blocks 100% of brute-force requests.
And also plugin tries to stop some of the brute-force attacks by sending fake cookie and fake redirect requests.
It is impossible to stop 100% of brute-force attacks.
But if you have any fresh ideas – you may share them here.
So without this plugin (or any similar) your site is not protected at all.
Be careful, because if your site will be not protected and if attackers will brute-force your password – your site will be hacked.
The simple solution – you may rename wp-login.php file until the attack will be finished.
And also you may share the details of the attack to your site and probably other users can help you.
