No site hardening tips for us on the attacked end?
Fine I'll give one. As a first line of defence, you could drop connections with "WordPress" in the user agent, in nginx.
You ARE using nginx right?
More than 26,000 WordPress sites have been enslaved and used in a recent distributed denial-of-service attack campaign using a vulnerability first described in March 2014. The layer seven attacks exploit the pingback feature activated by default on WordPress sites, which informs other sites when they have been linked to. Those …
Remove plugins and themes you don't need, and install All In One WP Security and just follow the built in instructions and disable as much as you can (pingback is in the "Firewall" tab). Besides pingback there are also XML-RPC weaknesses you best kill off unless you use an app, and you may want to consider removing the Jetpack.
Basically, if you had done what we said the last time there was a problem this should not have been a concern for you :)
My ISP offers them for free, all my sites have a Geotrust Secure Site starter DV SSL cert, which is SHA-256 with RSA encryption and a 2048bit key size. Some of these sites are WP, some Joomla, all of them using two factor logins because that too is free (Joomla has it built in, WP still needs a plugin for it).
They're using a fairly tightly secured Apache on FreeBSD, which has as only disadvantage that that anything with images has to do without ImageMagick or GraphicsMagick support.
So the question is not "why", but "why not" :)