The Limit Login Attempts plugin does well to stop these malicious bots. Note: While it has not been updated as noted at the link, I have it working fine on both single and multi-site installations at WP4.0. See also:
http://codex.wordpress.org/Brute_Force_Attacks
Your best course of action is a strong and unique password for the site admin user(s). I strongly suggest also not using admin as a USERNAME but create a password like one.
To understand why the password should not just be a strong one but also be unique see:
http://en.blog.wordpress.com/2014/09/12/gmail-password-leak-update/
See, people tend to use the same password for varying sites/logins. Once one is compromised and the credentials stolen, these malicious bots go to work attempting to login to all the popular sites, and gosh, even banking sites..their goal is theft and often they succeed when folks use poor security measures!
The single most powerful tool is both a unique and password like USERNAME and a unique and strong password.