By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.
Last month I’ve posted article on Global Brute Force Attack, which you can read it here: Important: Global WordPress Brute Force Flood. Please Read. As advised in there, I’ve also installed Limit Login Attempts WordPress Plugin..
Limit the number of login attempts possible both through normal login as well as using auth cookies. It blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In that case what you need to do is limit the login attempts.
You can also see the log of how many total lockouts there have been as well as get notified via email if there have been more than X lockouts in the same day.
Another must read: How to Secure your WordPress Plugin? Prevent CSRF Vulnerability
This plugin has performed 143 lockouts so far… Screenshot from my admin area..