So I have been dealing with this botnet issue for awhile, and I used a script put on my VPS at Hostgator that asked for an extra login before getting to the wp-login.php page. I ran it for a week, took it down, got hit and server went down again. This happened quite a bit until I finally just left the script on. However, for my clients who run memberships sites or affiliate programs, this script is getting in the way. I looked at the Brute Force plugin, which is almost like an Askimet pool of Ips its building, but that doesnt stop the attempts and everyone says lockout plugins dont work.

So I have 2 questions:
1) Would using a plugin like Better WP Securityor code like RewriteRule ^login$ [NC,L] to change the login url work?
2) Or should I try this new plugin that just locks down more effectively?

I ask because I dont understand if the botnet only searches for the wp-login.php url or if it would be blocked by simply changing the url. Any advice would be much appreciated!!!!