After reading a post about WordPress login security by J. Max Wilson I finally took the step of adding a security plugin to protect my site from brute force attacks. Since installing the plugin I have been made aware of the attempts to hack into the site. If I had not been warned in the original post about how such attacks are more frequent than expected I would have been worried when I started to see the frequency of such attempts.
Over the months since installing the plugin and being made aware of the details of the attacks I was facing I have come to one conclusion about a simple trick to make sure such attacks do not compromise your site – don’t have a user named “admin.” With one exception so far, every attack on my site has tried to login as “admin” and so all such attempts have been futile since I have never had a user by that name. (The one exception was when they tried to login as “david” which also does not exist on my site.)
No matter how weak your passwords may be, an intruder will be unable to log in if they are trying a non-existent username. Of course this does nothing to protect you from the problems of server resources being consumed by repeated login attempts so I still recommend having plugins or other methods of securing your site against such intrusions but if you have a user named “admin” get rid of it. If you need help with how to do that look here. That resource should have suggestions that people with various levels of skill and access to their server can make use of but if you have direct access to the database the simplest thing is to change the username for the admin user at the database.