First, try renaming/deleting wp-signup.php, that's a basic security step. Letting random hackers "sign up" is one of the lamest WordPress features imaginable.
Next, install wSecure Authentication plugin and tweak it.
It sounds like you might have done this, but I should repeat.
These are not the only walls of defense, but are a good start. WordPress is flawed when it comes to security. You have to spend time to make up for that.
Next, put your worst offenders as blocked in .htaccess, once that is done the server load is minimal.
As another step, install IQ Country Block plugin and on the _Front End_ block all countries that you have no need to show your blog to. On the back end in same plugin, block ALL countries except your location as an admin.
After you do all that, see if you get things under control. If not, install a blocked bad referrers list in your .htaccess.
You might also check with your website host and see if they're doing anything to block bad traffic. If not, prepare to be attacked.