I know you’ve heard it before, but I can’t stress enough how important it is to NOT use ‘admin’ as your username for administrating WordPress. I found a nifty plugin called Limit Login Attempts that limits the amount of times a certain IP address attempts to login to your WP. Unfortunately, by default, WordPress core allows unlimited login attempts through the login page or from sending special cookies.
From the plugin page:
“Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.”
As you can see from the screenshot below, 13 people attempted to hack into my WP install in a 17 hour period. Not once, but 3 times before being blocked. Every single attempt from each IP address, they attempted to use Username = admin. The plugin will log the IP address of the person attempting to gain access to your site. You can use this IP address to then block it via htaccess, at the firewall or with a plugin.
When setting up your username and password to administrate your WP install, set the username up to something familiar with you that does not contain ‘admin’ and then make sure you use a very strong password. Use upper/lower case letters, numbers and special characters. I know it’s a pain but it will save you from having to delete your site and start over after it’s been hacked.
Here’s another shot from the dashboard: