WordPress login lock - try to prevent automated brute force attacks. Just place the login-lock.php file in /wp-content/mu-plugins/ and add the code in .htaccess to your root's .htaccess file. Note that if you have WordPress in a sub-directory, you would have to change the RewriteBase on line 8.

.htaccess

# Add this code to the .htaccess in your root WordPress directory
# If your wordpress files are in a sub-directory, just change the RewriteBase
# to something like: 
# RewriteBase /wordpress/
# If your wordpress files are in a sub-directory called "wordpress"
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Redirect to home page upon log-out
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} wp-login\.php
RewriteCond %{QUERY_STRING} ^loggedout=true$
RewriteRule . /index.php [R=301,L]

# Disallow access when not using the correct URL
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} wp-login\.php
RewriteCond %{QUERY_STRING} !__nonce=your-super-duper-unique-and-long-phrase-here
RewriteRule . /index.php [F,L]
</IfModule>

login-lock.php

<?php 
/*
Plugin Name: Login Lock
Plugin Description: Tries to prevent automated bruteforce attacks on your WordPress site. Put this file in your "wp-content/mu-plugins/" directory. Then change the value for "LL_NONCE_KEY" and "LL_NONCE_VALUE" to something else. Then go to your wp-login page - for instance http://mydomain.com/wp-login.php?LL_NONCE_KEY=LL_NONCE_VALUE - but of course don't forget to replace "LL_NONCE_KEY" and "LL_NONCE_VALUE" with the actual values that you've set. 
*/

define( 'LL_NONCE_KEY', '__nonce' );
define( 'LL_NONCE_VALUE', 'your-super-duper-unique-and-long-phrase-here' );

// Checks whether we're on the login page. 
function ll_is_login_page() {
	return stripos( $_SERVER['SCRIPT_FILENAME'], 'wp-login.php' ) !== false;
}

if ( ll_is_login_page() ) {
	function ll_enqueue_login_jquery() {
		wp_enqueue_script( 'jquery' );
	}
	add_action( 'login_enqueue_scripts', 'll_enqueue_login_jquery', 10 );

	if ( ! isset( $_GET[ LL_NONCE_KEY ] ) || $_GET[ LL_NONCE_KEY ] != LL_NONCE_VALUE ) {
		wp_die( 'Unauthorized access! There is an ongoing bruteforce attack at the moment, so log-in has been disabled. Besides you probably should not be here any way. Do you want to <a href="' . home_url( '/' ) . '">go home?</a>', 'Unauthorized access!', array( 'response' => 503, 'back_link' => home_url( '/' ) ) );
	}

	// Adds some JavaScript that will change the links and the form's "action" attribute to reflect 
	// the proper values so you don't get "Unauthorized access!"
	function login_lock_login_footer() {
		if ( isset( $_GET[ LL_NONCE_KEY ] ) && $_GET[ LL_NONCE_KEY ] == LL_NONCE_VALUE ) { ?>
			<script type="text/javascript">
				(function($){
					$(document).ready(function(){
						$('form').attr( 'action', add_query_args( $('form').attr('action') ) );
						$('body a').each(function(){
							$(this).attr( 'href', add_query_args( $(this).attr('href') ) );
						});
					})

					function add_query_args( url ) {
						// Don't add the arguments twice - just in case
						// Also add the arguments only to wp-login.php related links
						if ( ! has_query_args( url ) && url.indexOf( 'wp-login.php' ) !== -1 ) {
							var args = '<?php echo esc_js( LL_NONCE_KEY . "=" . LL_NONCE_VALUE ); ?>';
							if ( url.indexOf( '?' ) !== -1 ) {
								url += '&' + args;
							} else {
								url += '?' + args;
							};
						};

						return url;
					}

					function has_query_args( url ) {
						return url.indexOf( '<?php echo esc_js( LL_NONCE_KEY . "=" . LL_NONCE_VALUE ); ?>' ) !== -1;
					}
				})(jQuery)
			</script>
			<?php 
		}
	}
	add_action( 'login_footer', 'login_lock_login_footer', 10 );
}

function ll_login_url( $login_url ) {
	return add_query_arg( LL_NONCE_KEY, LL_NONCE_VALUE, $login_url );
}
add_filter( 'login_url', 'll_login_url', 10 );
add_filter( 'register_url', 'll_login_url', 10 );

function ll_logout_url( $logout_url ) {
	return add_query_arg( LL_NONCE_KEY, LL_NONCE_VALUE, $logout_url );
}
add_filter( 'logout_url', 'll_logout_url', 10 );