WordPress installations often get broken into by brute force guessing of the password for the “admin” account. Changing the administrator account to something other than “admin” is the single best thing you can do to improve WordPress security.
My favorite WordPress security plugin is iThemes Security (formerly WP Security). It has every security feature you can think of in one plugin, and is available as a free plugin or a paid version with more features. I just noticed that it has a new feature. It can automatically blacklist IP addresses that try to log in using the admin username.
- Install iThemes Security plugin. In the WordPress administration panel, click on Security. It will be on the left side near the bottom.
- Before making changes, make a backup of your database on the off change something goes wrong. Click the Backup tab. Click the Create Database Backup button. While you’re in the tab, it’s a good idea to schedule automatic database backups.
- Click the Advanced tab. Change the administrator name to something other than admin.
- Click the Settings tab. Under Brute Force Protection, check the box for “Immediately ban a host that attempts to login using the “admin” username.”
- Click the Save All Changes button.
That will stop 99% of bogus login attempts.
Another WordPress plugin I like is Captcha (free and paid versions available). It protects the login page and comments from bots by asking the user to answer a simple math problem.