Support

We did use to have that feature. Then GDPR happened. Storing the IP address together with a username deanonymizes the IP, making it illegal to collect and store. We can definitely add a switch to re-enable that feature but please bear in mind that toggling that switch makes your site non-GDPR compliant which may carry a fine of up to 4% of your global income or 20 million Euros, whichever is higher.

I'd also like to note that this information is useless anyway which is why we had not considered that feature a priority, at all.

Let's say you know that they are trying to log in, repeatedly, with a username which does not exist. You're probably going to blacklist that IP. Of course that IP will be released and belong to someone else, an innocent person, in the future. The attack was doomed to fail and all you ended up doing is blacklist an IP of a potential future visitor for no reason. It's best if you let Admin Tools auto-block the IP of the attacker.

Otherwise, let's say that it's a real user of your site. You might wonder where that came from. Stupid wannabe hackers will use a predefined list of common usernames. Semi-intelligent hackers will use your site's Authors page, if it's not disabled. Smart hackers will simply use WordPress' JSON API to find your site's usernames. So, your username is essentially public, no wonder hackers have it. What would you do? Keep changing your username? Because of the leaky API it doesn't matter; they will find the new username again -- and because it's linked to your email they will know not to start over the brute force attack.

Therefore knowing the username the hacker is trying to use doesn't help you any. The only two things you can do to prevent password brute forcing are 1. very long, random passwords (I recommend 64 randomly generated characters from the sets a-z, A-Z, 0-9 and special characters) and 2. two factor authentication / two step verification.