I was alerted to this article by Matt Mullenweg, the founder of WordPress, with regard to a recent spate of brute force attacks on WordPress websites.
Allow me to summarise what Matt says in his article:
- If your Administrator username is “admin”, create a new Administrator, with a harder-to-guess username, and delete the “admin” username (follow this link for a step-by-step guide to creating a new user in WordPress
- If your password is easy to guess, change it to a strong password (follow this link for suggestions on how to select a strong password)
For a “belt and braces” approach, you could also install the Limit Login Attemps WordPress plugin. The only change you need to make is to increase the “minutes lockout” time to 9999 – this prevents the attacker from trying again for 9999 minutes.