This is one of the first plugins you should install and activate. Since installing it on a WordPress installation I haven't even begun using yet, this plugin has blocked nearly 600 attempts to brute force my site. Not only does it lock them out, but also records the IP address and lets me see what user accounts are being targeted. This is definitely a security tool that should be in every WordPress admin's arsenal.
I also highly recommend the "Google Authenticator" app to work alongside this one.