massive brute force against wp-login.php (wordpress)

So I get a ticket about high load on a server. Checking logs I see tons of:

POST /wp-login.php HTTP/1.0

and in logs:
– – [13/Aug/2013:13:35:07 -0400] “POST /wp-login.php HTTP/1.0”

Notice all http/1.0 – thanks for making it easy. Dropped with a .htaccess


RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteRule .* - [R=406]