If you need random users to be able to login, effective IP blocking will depend on the distribution of your legitimate user base. Realistically, limited login attempts and lockouts combined with a really strong password is more than adequate defense.
Even though I believe security by obscurity is an oxymoron, not having an 'admin' user has completely stymied all such hack attempts so far. Still, I believe hiding the login and admin paths is a wasted effort. In my experience, blocking a worldwide botnet has not yet resulted in the hacker controlling it going away. Going on 5 months now, he is still hammering away uselessly at my site. What a moron!
If you only need access for a limited few, a dedicated IP is not necessarily required, though it makes things much easier. I personally have whitelisted the entire IP range allocated to my ISP using CIDR notation in .htaccess (
Allow from 220.127.116.11/18 for example). Since no hackers so far use my ISP, the worldwide botnet is completely blocked even though I do not have a static IP, and yet I login without apparent restriction. If I do use a different ISP occasionally, it takes about a minute to temporarily add my current IP to the whitelist via FTP.