Host is very sure it isn’t them.
I don’t have any plugins installed and they don’t have access to the application so how could they install a plugin I can’t see?
I find it really hard to believe the host would actually be able to block wp-login and notice failed login attempts at this level. At the Control Panel, FTP, email etc yes, but at the WordPress login?
