Transparency?!

So according to the plugin description, WPBruiser will protect me from brute force attacks, but according to my logs and the email messages I get about my server load being too high, it seems like it really doesn’t.

During the past week, my WordPress installations have been under attack twice. According to WPBruiser’s internal reports, the attack has been recognized from the very first minute, and the IP was blocked. But in both cases, my systems load average went up to 15 for nearly two hours. How is that possible if the attack was recognized and the IP was blocked?

According to the logs, said IP has been hammering the server thousands of times over two hours, always receiving a http 200 “found” response. Which raises the question how exactly does WPBruiser treat blocked IPs? Does it serve bogus content? Empty pages? Is the block failing? And how could I tell? Where is this documented?

I’ve mailed support, but received no reply. Very frustrating, because of course these events give me a bad reputation with my host, and I don’t want my account suspended. So now, because of the WPBruiser team not responding, I will have to abandon WPBruiser and look elsewhere. Makes me wonder why I bought one of their paid addons.

Not recommended.