Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.
Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.
No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.
It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.
Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.