Since the last few months I encounter a lot of hacking attempts against my site. They are distributed so you can't simply block just one IP. 100k site requests per day are a normal thing if you don't protect anything. Given that your system is secured good enought, this still costs server CPU time and bandwidth. So we need to lock those guys out as good as possible.
There are some things you simply have to do to protect your site:
This works pretty good but it was not enough. Admin Tools grabs a lot of stuff so you see what's going on. Those guys still crawl my site and try to brute force the admin password. I don't even have this admin user anymore! I was not aware of any tool to stop this. So I wrote a stupid simple plugin to stop the page generation as soon as possible if somebody tries to login with the user name 'admin'.
You can download this plugin here: Admin Brute Force Stop Plugin. After you installed it you need to enable it. From now on it'll block all requests which target the com_users component and have the username=admin in the request.
If you habe other ideas just let me know.