We’ve tried all the suggested methods in this article. Anything using a plugin usually ends up consuming too many resources and brings the site down (and sometimes the server if memory is exhausted by MySQL activity). In the end, we’ve protected all our sites in the same way as Oscar_Blank using htaccess rules blocking all IP requests except ours (fixed IP) and the customers (some are fixed IP). If the customer doesn’t want this IP protection then we just refuse to host the WP website. Since we did that, we’ve had no more problems like this.