Lots of things to do with wp...
I've found you can't always block based on IP because some scripts use the ajax in the admin area... thus visiting your site can create a warning.
Give the plugin login lockdown a shot... it masks login errors, can set time out limits on fails, etc.. if someone happens to get to the login screen.
Another thing you can do is protect your wp-login.php with basic user/pass protection to access it. It's not an end all, it's just another step. Drop this into your functions file, and set a user/pass...
Code:
if ($_SERVER['PHP_SELF'] == "/wp-login.php"){ add_action('init', 'login_init');}
function login_init(){
$user = "YOUR-USERNAME";
$pass = "YOUR-PASSWORD";
get_option('get_header');
if($_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass){
header("WWW-Authenticate: Basic realm=\"\"");
header("HTTP/1.0 401 Unauthorized");
exit;
}
}