I'm no expert, but here's what I've done lately on multiple existing WP sites. Bear in mind, I always use very strong passwords unique to each site.
1. Updated all my WP sites to 3.3.1. 2. Updated all plugins. 3. Installed, activated and made settings that make sense with the Better WP Security plugin (it's free to download). 4. Using that plugin, among other things, I've:
a. Set up brute force protection, setting only 5 login attempts and blocking for 600 minutes b. Replaced the "admin" username c. Secured the .htaccess file d. Blocked long urls e. Various other tweaks available with the plugin
Also, you might want to check for malware coming in through timthumb.php using the timthumb vulnerability scanner plugin (also a free download).
I think blocking individual IPs through your firewall is a losing battle (I have a VPS). I'm not saying don't do it. Just that there are so many attempts going on since the first of the year that it's difficult to keep up.
On new installs, you can, apparently, safely change the wp prefix which can be problematic on existing sites.
I'm open to all other suggestions.
What triggered my beefing up of security was hacking of one of my sites. I took the matter up with my host (I have VPS) and received this in the exchange:
There's no indication that this occurred through cPanel or FTP or any other protocol other that HTTP. I've only seen this variety of hack with WP....
The hack took the form of injection of malicious code in all the index.php files on the site.