I've found the "Better WP Security" plugin to be pretty good at stopping all of this. You can set login limits, 404 limits, etc., and have it automatically deny offenders IP addresses from accessing your site by modifying the site's root .htaccess file. But even it doesn't cover everything.
Many WP attackers probe for themes and plugins with known weaknesses, or exploit the upload system to upload executables. But what most people don't know (including most WP developers I've worked with) is that there is no reason for PHP files to be directly accessible anywhere in the /wp-content/ directory (which includes uploads, themes, and plugins). Simply adding a .htaccess file to the /wp-content directory with something like the following in it will protect against poorly written themes, plug-ins, and most not-yet-known exploits of WordPress.
# Add allowable extensions as needed
Deny from all
Allow from all
If that breaks a plugin or theme you use, then it's not written very well and you shouldn't risk using it. Contact the developer and tell them they should not need direct access to executables in /wp-content