As Wordpress security and attacks are in the news, I wanted to share this simple and official take by the founder/Creator of Wordpress himself... Please make sure you have no "admin" user with username "admin" ...
| Almost 3 years ago we released a version of WordPress (3.0) that allowed you to pick a custom username on installation, which largely ended people using "admin" as their default username. Right now there's a botnet going around all of the WordPresses it can find trying to login with the "admin" username and a bunch of common passwords, and it has turned into a news story (especially from companies that sell "solutions" to the problem). |
Here's what I would recommend: If you still use "admin" as a username on your blog, change it, use a strong password, if you're on WP.com turn on two-factor authentication, and of course make sure you're up-to-date on the latest version of WordPress. Do this and you'll be ahead of 99% of sites out there and probably never have a problem. Most other advice isn't great -- supposedly this botnet has over 90,000 IP addresses, so an IP limiting or login throttling plugin isn't going to be great (they could try from a different IP a second for 24 hours).
source: Passwords and Brute Force -- Matt Mullenweg
I just noticed links he put for howto info for user change and strong passwords are missing in this quoted text, so it is :
Change Admin user: Change your WordPress admin Username
Strong Password: Selecting a Strong*Password -- Support -- WordPress.com
Hope this will clear many confusion and this simple advice and official take will make things clearer and simpler for you.