There can be billions locations, but if a malefactor have no login this is only ddos, not a brute force. This is the same advise that you gives, but more radical. You said - hide the name, I said - prevent using the name. Maybe my English is so bad...
Hi Adam!
Brute force is not the evil by itself. But it has an aftermath, a bruted account will be locked.
It is for sure impossible to bruteforce if you do not know proper login for it. You can recognize an administrator by indirect signs, and make his account disabled just putting his name...
Maybe it is a good idea just to deny into ACP by name, only by e-mail - this is not public info and cannot be obtained easily. Dunno how to do this, but it give us an additional profit - admin's account will not being blocked when it is brute forced.