Since you are SSOing (is that a word?) through WP, you might want to add a Captcha to your login. It is really effective against that kind of automated bot (if it is an automated spam bot) I’d try the new one by Google (https://www.google.com/recaptcha/intro/index.html) first as it only requires a code if it thinks you may be a bot.