There was nothing obvious to me in the MySQL log. It seems to just be regular startup-type messages in there. Admittedly, I don’t have tons of time to spend on this (or much reason to do so).
I’ve decided for now just to add a few more rules to my Apache configuration – block access to the WordPress login using HTTP Basic Authentication. That should mean that any mischievous web requests (brute force attacks or otherwise) should be handled solely by Apache, without reaching PHP/MySQL.
