[Spearchucker]

No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.

[Viper007Bond]

That sounds not fun for the account owner. I could prevent you from logging into your account.

[wyck]

This plugin does exactly that and is very effective. Everyone using WP should be using it. http://wordpress.org/plugins/limit-login-attempts/

[Viper007Bond]

I run this on my personal site to prevent drive-bys but it won't stop a determined hacker with many IPs.

Here's a proper solution to secure your account: http://wordpress.org/plugins/google-authenticator/