Did you have the chance to check it yet?
If you think you’re not going to do it in the near futre, let me know, as I would remove the sever clone. It’s been created just for this test and it’s costing some money.
Regarding my question above: “Can brute forze protection be enabled for other login pages?” If the answer is not, as I think it is, then I’d probaly just block the access to wp-login.php, as the normal user flow is registering on other forms in the website.
I’d then use the plugin for virus scannning and forget about brute force.