Several waves of Brute-Force Attacks to my WordPress blog lasted for more than two hours!!!
Like automaticlly adding the attacking IPs to /etc/hosts.deny black list to avoid attacks by sshd, a WordPress plugin “Limit Login Attempts” uses the same strategy to defend attacks.
Hiding the wp-login.php page is also a good choice.