A recent blog article about up to 90,000 ip addresses being used to try to hack wordpress sites is here
I’ve been seeing and average of 90 login attempts per day for each of my sites. I’ve sure you all have been seeing similar if your looking.
Two options to solve this: 1) Only allow access to wp-login from a specific Ip address or addresses, or 2) Take appropriate precautions of NEVER using an admin account, or any variant of the word admin, and pick a strong password.
look through the 2000+ passwords guessed in the last 20 days by wordpress trolls here:
and if your passwords look like any of these, change it to a more difficult to guess one!
to eliminate all but approved ip addresses, put this in .htaccess:
Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx ErrorDocument 403 ""where you replace xxx.xxx.xxx.xxx with your ip address and add an allow for each additional ip address you want to allow