If you have a WordPress based blog, or otherwise use WordPress as a CMS for your website, you are either getting a lot of bad user accounts being created or noticing a lot of knocking on your wp-login.php page. WordPress has a nice feature which allows you to install WordPress in a directory other than the root one. For example your site is served from http://blog.example.com, but WordPress can be installed in http://blog.example.com/wpcms. In past versions of WordPress, prior to 3.8 or maybe be older than that, unless you knew the exact path to where WordPress was installed you could not get to the dashboard. That has changed! Now even if WordPress is installed in some random directory, if you navigate to http://blog.example.com/wp-login.php you will be redirected to the actual WordPress login page. Convenient, but not helpful when dealing with SPAM bots.
Majority of SPAM bots are configured to assume that WordPress is installed in the root directory so that’s where they will try to either register on your site or login to the WordPress dashboard. With newer versions of WordPress they do not even have to make any guesses. If you have an older version of WordPress, or for security reason want to overwrite the new auto-redirect behavior add the lines below to the .htaccess file in the directory from which your site is served. Not the directory in which WordPress is installed.
RedirectMatch 301 ^/wp\-login\.php$ http://localhost/
RedirectMatch 301 ^/wp\-admin$ http://localhost/
What the above lines do is to redirect anyone or anything that tries to login or register at wp-login.php, or access the WordPress dashboard at wp-admin, to itself. Though not the best security solution, it is a solution to deal with both. Unless, that is, someone is specifically targeting your web site and putting some effort in figuring out it structure. If this is your situation, then check out How to protect wp-login.php using .htaccess and .htpasswd?