I just had the most amazing idea while trying to figure out why this customers server was down. Typically they will look something like this:
1.2.3.4 – – [19/Feb/2014:11:57:17 -0800] “POST /wp-login.php HTTP/1.1” 200 292 “-” “-”

So I had this brilliant idea that if they are trying to brute force in this method, they likely got brute forced the same way, and why can’t I just redirect them back on themselves? I think most of these brute forces happen via IP address from someone scanning for ip addresses that have a wp-login.php. So I wrote up this redirect rule:
RewriteEngine On
RewriteCond %{THE_REQUEST} POST
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule wp-login.php http://%{REMOTE_ADDR}/wp-login.php [R,L]
RewriteCond %{THE_REQUEST} POST
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule xmlrpc.php http://%{REMOTE_ADDR}/xmlrpc.php [R,L]

This can typically just be dropped into the .htaccess, and if someone is trying to hit your wp-login.php, it will redirect them back to their own ip address and hit their own wp-login.php. Hopefully, whomevers server was compromised in the first place will go and fix their security hole instead of letting it spread further 🙂

edit — Updated to do the same thing for scumbags hitting xmlrpc.php