The only thing I'd perhaps add to that excellent article is to setup Google Authenticator using the Google Authenticator plugin and enable it on at least all your administrator level accounts so that weak/compromised passwords or passwords shared with other sites become far less of a problem.

While it's called Google Authenticator it has no tie-in to Google's services. It's a open algorithm that generates a 6 digit code based on a shared secret and the time. Clients are available for all the major smartphone platforms. The Wordpress plugin adds a third box to the login page and validates the 6 digit number is correct as well as your username and password, such that just knowing a valid username and password for an account with Google Authenticator enabled isn't sufficient to get access to Wordpress.

There's been lots of discussion on OATH HOTP (of which Google Authenticator is an implementation) on the excellent Security Now podcast. Well worth a listen if you're interested in these things. Because it's an open standard it's beginning to be adopted for other services too (Dropbox, Amazon, Facebook, LastPass, Evernote to name a few).

Fail2Ban has been invaluable today. My VPS ended up blocking over 600 separate hosts all trying to log in to one of our installs in the space of an hour!

Alex