After I checked the login stats I was astounded at how many hacking attempts were made on this blog in the last couple of month. Most people think they don’t need to protect their site simply because it has no value or importance to hackers. What they fail to see that these days hackers go for quantity and not quality and they use simple programs that scan the internet and find WorPress site then proceeding to exploit human as well as technical vulnerabilities to gain access to the site and take over its control. Once a hacker has control of dozens or hundreds of sites he can use it for commercial purposes , like redirecting all traffic to CPA offers, or for malicious purposes, like using the site/servers to attack a larger more secure target.
Step #1. Change your admin username from default “admin” or “Admin” to something else. Treat this the same as your password and dont make it obvious. All of the attempts to brute force a password on my blog were made using an “admin” login. Just doing this will most likely protect you from 99% of the attacks.
Step #2. For a little extra security install a free WordPress plugin called Limit Login Attempts which also can be found on WordPress plugins directory. This plugin will lock out a computer based on cookies and ip after 4 failed login attempts for a specified number of time. After 4 lockouts you can set the lock out time to 24, 48 or even 120 hours which makes brute forcing your password impossible.