It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/

It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.

It is only a simple feature if you don't care about DOS against the user account and do not have an adversary with a large botnet.