Ran into these as well and they actually succeeded in essentially bringing down our webserver. Seems to be a botnet brute force password attack that's been going on since April targeting WordPress sites, though it seems to have picked up again lately. I added the following to our .htaccess file and that seems to have done the trick (obviously you'd need to change the domain and IP address (either single or range for your own use):
# BEGIN DDoS block
# Blocks "example.com/wp-login.php" referer without https?://
# And blocks all non-company addresses from wp-login.php
RewriteCond %{HTTP_REFERER} ^example\.com/wp-login\.php$
RewriteRule .* - [F]
<Files ~ "^wp-login.php">
<Limit POST>
deny from all
Allow from XXX.XXX.XXX.XXX
</Limit>
</Files>
<FilesMatch "^wp-login.php$">
Order Deny,Allow
Allow from XXX.XXX.XXX.XXX
Deny from all
</FilesMatch>