They are building a botnet of powerful webservers. We are already seeing them move on from Wordpress blogs, the attacks are not over. The current payloads are primarily spam and attacking other sites (using PHP and Perl scripts injected or uploaded to Wordpress sites), but the main point is to infect as many computers and servers as possible to gain more computing power. Now is a good time to secure your Joomla, Drupla, ZenCart, X-Cart, and even HTML (!) sites. It appears the attackers are now experimenting with various SSL attacks, pulling various configuration files, and trying to get into databases, primarily on shopping carts. This may just be another distration though, which is a common tactic in the world of hackers. If the distraction is big enough it will always draw attention away from what you are really doing...

You mean "correct horse battery staple" and unfortunately that is terrible advice - any password under 50 characters made of only lowercase letters will be broken by the most basic brute force. And their dictionary is impressive, we've been pulling the POSTDATA and checking what they are doing. The rotation of usernames in itself is scary - even non "admin" users are not protected. This is why I suggest a 30 character password and in fact you should be using a similar method to generate your admin username. Even that can be cracked with a botnet of sufficient size, which is exactly what they are trying to build. They have a LOT of CPU power at their disposal between the infected PCs and the infected servers (which often have 32+ cores and 100GB+ of memory to play with).

I have written a rather detailed article on next steps for anyone affected - which is just about anyone with a Wordpress site. Unfortunately at least 10% of accounts hit have been successfully compromised, and many are being used to send spam or attack other sites. The Global Wordpress Brute Force Attacks of 2013 - http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html This includes the method to htaccess block direct automated requests for wp-login.php as well. The attackers have gotten around some fairly advanced countermeasures including mod_security rules so all Wordpress site owners should be following these steps.