Running WordPress on my own server, like on Amazon Web Services (AWS), is a bit more work than even the popular commercial website hosts, since the server configuration is entirely up to me. This site had been up for about three weeks, when I noticed 900 login attempts on WordPress. I've never run into this on WordPress.com or shared hosting sites like GoDaddy or HostGator - presumably because they have applications protecting their servers from script kiddies (bandwidth is money).
The first order of business was to get rid of default WordPress login URL, which is what the bot was looking for, by giving it a meaningless name. I used a security plugin to do this, but there are tons of other WordPress plugins and server rewrite options that can perform the same thing.
Note that changing the name of the login URL does not do any good, if you do not also remove the lost password links from the login page and disable the password reset (both of which contain the new login URL). This is easily done with some function code, e.g. like this.
The second order of business was to activate a firewall on my Apache server, to catch these things before they get to WordPress. I actually don't use many of the features available in the security plugin, because most of them are handled at the server-edge.
Pro tip: Write more, sysadmin less.