Getting frustrated for the constant brute-force login attempts? I am - or were. Instead of blocking IP’s I ended up trusting countries (that has actual laws against cyber criminals or operators that are trustworthy).
So I ended up protecting the login area using GeoIP. It took a while to parse info from various sites and as I’ve been using EE for years, I wanted to contribute this to the lovely community 
Debian/Ubuntu (installed on Debian 8.9)
Install necessary files:
apt-get install geoip-database libgeoip1
Move the GeoIP.dat file
mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bak
Update the GeoIP.dat file
cd /usr/share/GeoIP/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz gunzip GeoIP.dat.gz
Edit nginx:
vi /etc/nginx/nginx.conf
Add these in http block:
geoip_country /usr/share/GeoIP/GeoIP.dat; map $geoip_country_code $allowed_country { default no; US yes;
Edit your vhost:
vi /etc/nginx/sites-available/yousite.com
add a new line for the new config file we are about to create:
include common/locations-safe.conf;
Create the new config file:
vi /etc/nginx/common/locations-safe.conf
locations-safe.conf:
set $check ‘’;
if ( $allowed_country = no ) { set $check "A"; }
if ( $request_uri ~ ^/wp-(login\.php|admin/) ) { set $check "${check}B"; }
if ( $check = "AB" ) { return 403; }}
Restart the nginx
/etc/init.d/nginx reload
Now you’ll block everyone trying to access your wp-login or wp-admin. For eCommerce sites, I suggest you allow all countries you’re selling to (because of the wp-login.php). For more detailed (wp-login ajax etc see: https://www.bjornjohansen.no/access-wordpress-by-ip-in-nginx).
Tested using VPN from various locations (not trusted countries - ended up landing 404).
Would be nice to get this implemented to EE. i.e
ee site create blaa.com --wp --php7 --geoadmin US,UK,SE,FI