Happened to look at my web stats on AWStats a couple weeks ago and noticed a few thousand hits on the WordPress login script. Couldn't have been me. Maybe a few, but I'm not logging in dozens of times a day.
Trudging through the stat logs I found a couple IP addresses responsible for most, and blocked them at the server level. Problem solved, I though.
Checked again a couple days ago and another set of IPs, close to the original, were doing the same thing. Time to be a tad more aggressive.
Google brought me to the Limit Login Attempts
plugin. It lets you set a limit on how many times a single IP can try to login and blocks them after that. By default, after 4 failed attempts they're locked out for 20 minutes and after 4 lockouts they're locked out for 12 hours.
The important part for me though is that I now get an email whenever an IP is locked out along with how many failed attempts have come from the IP. Plus, it sends me the username they're using to try to log in with. In the last 3 days I've probably gotten 20 emails. Scary on one hand, but it also means they're not getting in and not hammering my server.
This morning I went in and checked and one IP had 8 lockouts, so 32 failed login attempts. That one is now blocked at the server level for 180 days.
There are a handful of similar plugins. Limit Login Attempts just happens to be the first I tried, and it appears to be doing its job.
And as an aside... One of the things I noticed is that the login name attempted almost every time has been admin. Recent versions of WordPress don't force it, but earlier version always had admin as the username for the first user. Since this particular blog had been around a while, by login was admin. Not anymore.
Also changed my password and managed to lock myself out last night when I couldn't remember what I changed it to.