Eventually, No Security Measures Will Help Your System

"When in doubt, use brute force." - with scalable distributed power the rate per second is mostly limited by cost , or the size of your botnet. Sure a login rate limiter or IP whitelist will help but in some cases that's impractical. If you are lucky enough that the attacker has an IDS-usable signature that covers you some of the time (Like the current WordPress one). But eventually the password you chose is going the lynchpin of your security system. How complex is yours?