DeeCee - 9:24 pm on Feb 17, 2012 (gmt 0)
Locking wp-admin with a white-list and using good passwords is an important good idea, and works for a few attack types. Pure login and brute force password attacks.
However, the most frequent attacks I see and catch are attacks on vulnerable themes and plugins. The hackers check the code of such themes and plugins and easily see some of the vulnerabilities. Often the same vulnerability in all of them, because they all included the same insecure piece of code with the theme/plugin. Borrowed or expanded from some other GPL'ed piece of code.
Most often the security issues are not in Wordpress itself, but the many free amateur themes and plugins people use. Being a good visual theme designer often is not combined with being a good security programmer.
I had one barrage of attacks that went on for weeks, seemingly trying every theme name and plugin name under the sun multiple times from many, many IPs (botnet or cloud services). I use none of the hacked site themes fortunately, plus I check the code I use.
Usually attacks targeted at any plugin or theme that supports file uploads. Such as having an image gallery or others that somehow allow a user-upload mechanism. Even if you did not actually enable it.
No wp-admin lock-down protect from those. They do not need admin log-in or /wp-admin access. All they need is an upload mechanism and and a purposefully insecure upload directory to stash the code in. Only fixed upload code, good secure file/directory permissions on the server preventing bad files, (or a plugin/htaccess that blocks these URL patterns).
Some attack patterns initially simply look for the bad themes or plugins by trying to load a known file. Such as "wp-content/themes/theme-name/styles.css", which would always be there if the theme is installed. If they cannot load the style file, on to the next theme check. Thousands and thousands of them. Similar for the gallery type attacks. All they need is one good (read: "bad") upload of a code file to your server, and the infection is in place. Now they can call it from the outside as a standard URL, make your http server call on it as valid code that suddenly makes many funny site modifications, and they own you. Pretty simple mechanism, really.
The best way stop attacks from overloading a server is at the firewall level (assuming one has access to that), since that stops the server overload. Next best through an http server config or a good mod_security setup, third by htaccess pattern blocking on the individual site level. That 3rd option is unfortunately what many or most site owners are limited to. The further "out" towards the network you shut them down, the better it is for your server.
Fourth option is using a security/spam plugin that might be able to block some of the known scammers and patterns. But by that time you are in at least the initial load routines in Wordpress when the plugin call and check happens, so some server load has started.