This blog is not hosted by the Skype but on WordPress VIP. This means that, most likely, the blog was not broken into using a software exploit of any sort since the security on VIP blogs is professional. Knowing that this is the Syrian Army, this attack was most likely done using phished credentials.
If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.
Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.
Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.
No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.
It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.
WordPress.com offers two-step authentication for all of our users. You can use any application which supports Time-Based One-Time Passwords (TOTP) such as Google Authenticator, Authy, etc. and you can also receive a one time password via SMS.
If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.