Presumably, if someone tries to brute force into your website's control panel at your web host's site - they will be throttled/locked-out etc.
But what about the web publishing logins (Web-Deploy, FTP, ...)? How do we prevent anyone brute forcing those? Is the only way to have a password that cannot practically be brute forced, or is there any other method that can be implemented for that?
This is exacerbated by the fact that the control panel login is often valid for web publishing as well, so an attacker can try the passwords on publishing, and if successful - have access to the control panel as well.