Thank you, I have resolved the issue but not 100% certain of the cause. I think it was because my site was recently moved to a new server, I replaced the .htaccess file with a clean one and the issue seems to be resolved as brute force now enables!
Satying this the Ithemes securtiy check is still throwing an Invalid IP response though so something still isnt right. Loopback is working and also mod_rewrite.
Anyway thank you for your time and for providing a great plugin!
Also I think this may be related to the same issue, in Ithemes security check I see Invalid IP returned: **example*ip**
Under firewall settings page I see this.
Brut Force Protection – Your Server could not start a Session!
Anyone know how to fix this please?
Thanks