What keeps a Wordpress protected page from being brute forced
So I was looking at a friends wordpress site and noticed you can password protect a page.
If you do this, when you view it, you get a page that accepts a password without a username and seems to not limit your tries.
I set up my own site and enabled a password for a page.
https://shiroslullaby.wordpress.com/passwordprotected/
it seems to use wp-login.php?action=postpass and post_password="password"&Submit=Submit
When you put in the right password you view the content but wrong password seems to do a POST/redirect/GET to the original page?
I tried using the URL bar to enter my variables and got a page not found message. Did I type something wrong or is there something Im not seeing that prevents you from doing it this way and what would prevent someone from brute-forcing this?
Im not sure what you could use in the way of checking referrer, cookies etc to prevent someone from hammering at this until they got the right pass.
Hoping someone knows or is bored and wants to take a look at it.
Also if anyone knows a tool to check out thats good but I'd like to understand exactly how this is implemented becuase I feel like Im missing something.
EDIT
It seems like Wordpress servers are running nginx so Im going to do some reading on that. (I have basic understanding but never actually implemented before)
I would be interested to see differences between using the wordpress site and if somone installed on their own poorly configured server.
Also you can download the worpress kit and look at the php files so Ill do that although my php progamming skills are pretty basic.