Enabling multi-factor authentication (MFA) adds an additional layer of security beyond just the username and password. This can significantly impede a brute force attack, as the attacker would now require another form of identification which is much harder to obtain or guess, such as a temporary token or a biometric factor. Changing user passwords would not be the best immediate action and could disrupt service for legitimate users. Implementing geolocation-based blocking could be helpful but may also inadvertently block legitimate users. Modifying password complexity requirements is good practice but would not offer immediate protection for accounts that are currently under attack.