The only solutions I know:
Use CloudFlare as an extra layer of proxy-cache'ing (and a CDN, for all purposes) in front of your server. Basic service is free and it will certainly filter out many attempts such as those — and because CloudFlare acts as a cache for so many millions of websites, they can quickly (and automatically) figure out potential sources of DDoS attacks and block the IPs before they hit your server. Last but not least, CloudFlare has an 'attack mode'. When you activate it, every new access (yes, this will happen with legitimate users as well) will pause for a few extra seconds and requires active JavaScript to figure out if the person behind that request is a human using a browser or not. (It will not prevent someone from physically sitting in front of a computer and do a 'manual' DDoS attack, possibly with several friends doing the same thing...)
Use the WordFence Security plugin. WordFence will act not only as a way to scan your website (if it was infected) but also acts as an application firewall, and, yes, it is also good at detecting harmful attacks, especially those that are targeted at brute-force attempts to guess passwords. Because it also works on millions of websites, they collect a black list which is served to everybody very quickly. And also because it sits at the application level, it has some knowledge on how people use typical attacks to WordPress servers and block them before they're harmful. It also includes their own caching engine (you can turn it off), so it's a multipurpose plugin. The disadvantage, of course, is that it runs on WordPress — that is, potential threats/attacks are already threatening your server, so even if you block them, you might preserve the integrity of WordPress, but you will still be wasting CPU and bandwidth in order to deal with all those attacks.
For that reason, I use both for practically all my websites. They're not perfect nor foolproof, but both give some interesting statistics about how many attacks they have defeated, and these numbers are actually scary... even on very low-traffic websites, which I had (wrongly) guessed that hackers would have little interest.