Do you have a WordPress blog?
- I lock out IPs for an hour after 2 failed logins, for 24 hours after 2 more failed logins.
- I ban offending IPs regularly.
- I use a strong generated password.
Good rules. I have WordFence set up to aggressively ban bad login attempts. I also use, as the first line of defense, a secret login name that's not related to the visible byline that goes on my posts. If I ever see someone start guessing that in my failed login attempt reports, I know to worry. But when it's just the same old same old ("admin," different variations on my name, different variations on the site name) I'm just like, "meh. They won't get in, and they'll go pick on a softer target."