If you limit access to your Login page (which is equivalent to your /wp-admin directory & your WP Admin Dashboard) by IP address or by adding a second layer of authentication (BasicAuth/wp-admin Directory Password Protection) or by creating a Secret Query String, then new visitors to your website will NOT be able to register, comment or login to your website unless you provide them with the Secret Query String or the /wp-admin Directory Password Protection username and password or you whitelist their IP addresses.
We do some of the things above for our testing websites.
We do NONE of the things above for our Live sites, because new visitors to our websites would not be able to register, comment or login to any of those sites including this Forum site.
BPS Pro Login Security, JTC Anti-Spam / Anti-Hacker & additional Brute Force Login Protection are used on all our Live sites where we want protection against all hackers, spammers and general Brute Force Login attacks and also want to allow new visitors to be able register, comment and login. These BPS Pro features/security measures Block/Protect against 300,000+ Brute Force attacks per month on average on our sites.
See this Forum Topic link below for the additional Brute Force attack protection code that you can add for websites where you need to allow new visitors to be able to register, login and comment on your sites.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
.
