By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Last month I've posted article on Global Brute Force …
Read Article about Limit Login Attempts: Absolutely MUST Have WordPress Plugin →