Automattic (the company that owns WordPress) bought a spam protection system a while ago. It is now part of Jetpack for self-hosted WordPress sites.
If you activate the ‘protect’ setting it adds this piece of arithmetic to the login page. Of course if you are human and can count, then it alone is no deterrent. But if you are a spambot and cannot see the words at all, then you will not fill in the answer (right or wrong).
In that event, you will be sent off to another page to answer another addition question as a precondition of being let back to the login page.
Here’s the blurb on the Jetpack settings page for Protect:
Jetpack Protect is a cloud-powered brute force attack prevention tool. We leverage the millions of WordPress sites to identify and block malicious IPs. Jetpack Protect tracks failed login attempts across all installed users of the plugin. If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed. Jetpack Protect is derived from BruteProtect, and will disable BruteProtect on your site if it is currently enabled.
The text bolding is mine.
So it’s ‘Mess with us and you will be blocked from multiple sites, not just this one.’ Pretty draconian isn’t it?
Still, if you are a spambot you won’t notice and if you are a human and forgot your login credentials you can retrieve it via the ‘lost your password’ prompt before things get out of hand.