By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.Author Site
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
WordPress Plugin Is A Must Have
I'm afraid I can't recall where I fist saw this plugin mentioned, but I owe them some kind of props. It's one of those things that is very simple, yet very useful. The Limit Login Attempts plugin does just that, and therefore makes it much harder for baddies to brute force their way into your WordPress admin panel. This is for use with WordPress sites you are hosting, or have someone host for you; as far as I know, you can't use plugins on the WordPress.com free sites.