The greatest hack focus on a WordPress site seems to be trying to log in with the default username « admin ». This plugin detects all login attempts with that username and exits with a 403 Forbidden header. This should eventually discourage login bots from continuing to pound your site.
All attempts are logged inside the /wp-content/plugin-data folder, just in case you need the info. Logs are kept for up to 30 days.