Any chance that the developers will include this fix?
Yes but that still doesn’t solve the fact that brute force bots hit the wp-login.php which isn’t actually hidden.
With the deny-filter in htaccess, the file will actually be unreachable on that address, making sure the CPU usage doesn’t rise with an attack.
