It is certainly true that no plugin could ever be the silver bullet (or even a bit of one) if the server itself presents vulnerabilities.

The point you make about insecure networks is also a good one; it doesn’t really matter how many passwords you use if they can all be captured through the network. That was my main concern about this plugin. I’m not convinced it actually adds anything, except a misplaced sense of security, to the party. But it is worth exploring if only to confirm that.

I also think a lot of people are a little scared of using .htaccess for security because it feels like a solution that is out of their control, i.e. there isn’t any code to speak of, it just does it in the background.

I don’t think they should be, but the unknown is usually the scariest thing.

In this case specifically: using .htaccess to restrict access to /wp-admin/ for a specific IP is definately a security measure that makes sense – if you use a passwordfile in a directory that is not accessible by an url. Else the hashed passwords can be cracked within minutes (depening on length and strength of the password). A good read is this: http://www.securityfocus.com/infocus/1368

Like I said, raising the level of awareness generates far more security than any super-duper plugin or security measure could probably do. For a start, I would not advise anybody to log into their website from a network you can’t trust in the first place (public hotspots, shared connection to the net etc.) Wordpress does not rely on SSL by default, so your password is moving through the network anyway just waiting to be sniffed.

Also, hardening your WordPress install is not going to solve all your security problems. You have to keep WordPress always up to date – as well as your server OS, database software, webserver, PHP etc. etc. etc.

Security is more than something you can download and apply – you have to understand it first.