Which ways can be used to log in to WordPress?

FYI: This has been also posted here since I’m fairly new to this website and didn’t know that the WordPress part existed. Sorry for the repost.

I’m currently trying to tighten the security for a website which is running on wordpress (seperate installation, not on wordpress.org / .com). I have installed Wordfence which blocks all IPs which try to use a invalid user name instantly which works quite well (some 200+ blocked IPs / day).

Since our ISP is giving out hostnames like

www-xxx-yyy-zzz.my.isp.tld

and there are no users which need log in besides me I thought I would add some way to further prevent brute-force attacks.

The WP Codex has a section about preventing access to wp-login.php for anyone who’s not submitting it the form. In my eyes this should get rid of any scripts which try to brute force their way in like:

www.mydomain.tld/wp-admin.php?log=admin&pwd=alex

Now for anyone submitting the form this wouldn’t work, so I added a part to the top of wp-login.php which would check for the host name and then re-direct if it doesn’t match our ISP:

<?PHP
if (strpos(gethostbyaddr($_SERVER['REMOTE_ADDR']),'my.isp.tld') == false) {
    header('Location: http://www.google.com/');
}
?>

I checked it and this piece is working fine as well, when I try to access wp-login.php over my mobile it throws me back to Google, additionally I get an e-mail when somebody tries this. So far it’s only been 3-4 login attempts I prevented using this method.

Now from my perspective I’ve taken care of all things, but Wordfence will still send me notifications about blocked log-in attempts.

To see if it helps, I’ve added the following to the .htaccess file which is in the main WordPress folder, which, to my understanding, should deny all access except when coming from my ISP:

<Files "wp-login.php">
    order deny,allow
    allow from my.isp.tld
</Files>

Still the e-mails come flying in. Now the question is:

Is there any other way to call wp-login.php in order to try to login which I haven’t tought of? It seems that there are still ways which can be used which are not part of the scenarios mentioned above.

As commented in the other question: The IPs with the failed attempts are not spoofed to fit mine.

Any ideas, comments etc. are greatly appreciated.

So long

wrote something long and decided to delete because the Tl;Dr is use a good password and stop pretending to have a knowledge in how to secure sites, you are more likely to bring down the performance of the site (your reverse DNS code) or lock yourself out then actually preventing an attack.

Security is about context, and in the context of wordpress brute force attack is probably the least of your worries, it would not have prevented you to be hacked via
http://wptavern.com/wordpress-security-alert-new-zero-day-vulnerability-discovered-in-timthumb-script

or http://wptavern.com/critical-security-vulnerability-found-in-wordpress-slider-revolution-plugin-immediate-update-advised

or https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html

And before even getting to plugins maybe I should have asked is your hosting secure? (can’t find the link and don’t remember which big hosting company was hacked)