[bitfolk] WordPress - the attack continues

On one server, Fail2ban has banned over 150 IP addresses so far today for attempting to hack into WordPress sites. (If you run WordPress and you don't have protection against this, you need it!) The volume is such that it managed to crash the MySQL server on one VPS today. One suggestion I have seen is to use Apache's authorisation to limit access to wp-login.php, but that a) involves telling a bunch of real people a password and some of them could forget their own name and b) increases the size of the apache process by about 20% over the slimmed down version with as few modules enabled as possible that I have been running. Anyone have any other suggestions? Ian