This is pretty old news , this "super bot-net" of compromised Wordpress sites ( and others) has been attacking since September
ONANOG Digest,
FYI, the "new" part of this news is that the current botnet is 10x larger
than the one you're thinking of.
Damian
apache's mod_security comes in pretty handy for reducing the
cpu load caused by these attacks; we've seen many sites we
host getting hammered on the wp-login.php page from these
bots.
Here's the rules that block the bad requests:
https://docs.google.com/document/d/1wCpp7U5uOw_krEkQrm9NXFf2LjpGvlZ7uoOK
0Ok4LGM/pub
David