- remove default "admin" user, because most of the brute-force attacks targeted to crack "admin" username
- keep WordPress, theme and plugins up-to-date
- Avoid common words for passwords. Bad passwords: admin, letmein, pass
- install Security-protection and Anti-spam plugins
- Check out if your site is secured on sitecheck.sucuri.net
These methods will solve 90% of possible security issues on average site.
How to secure WordPress from Brute Force Attacks