If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site, they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible to by default, as the system doesn't care how many attempts a user makes to log in. It will always let you try again. Enabling login limits will ban the host user from attempting to log in again after the specified bad login threshold has been reached.
Automatically Ban "admin" User
Bans any login attempts using the "admin" username.
Max Login Attempts Per Host
The number of login attempts a user has before their host or computer is locked out of the system. Set to 0 to record bad login attempts without locking out the host.
Max Login Attempts Per User
The number of login attempts a user has before their username is locked out of the system. Note that this is different from hosts in case an attacker is using multiple computers. In addition, if they are using your login name, you could be locked out yourself. Set to 0 to log bad login attempts per user without ever locking the user out (this is not recommended).