Word on the street is that some WordPress blogs are being hit with a brute force attack that is essentially a script that continuously tries to guess the admin’s password.
Dennis Fisher has all the details over on Threatpost summing up the threat with the following:
The wp_brute_attempt() function takes 3 parameters, $ch which is cURL’s structure (cURL is a command line tools that can be used to perform HTTP requests). The other two parameters define the site and the password that will be tried. If the script logged in successfully, the page that gets returned by the server will contain the phrase “Log Out”, and the function will return a true value.
So how can you protect yourself from this kind of attack?
It’s actually fairly easy. Change the default administrator’s login name from admin to something unique and use strong passwords with numbers, capitalized letters, etc.
There’s also a plugin designed specifically to prevent this sort of brute force attack, called Login Lockdown.
The plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.”
And last but not least, as a last line of defense you should always make sure to regularly backup your WordPress installation in multiple locations.
I know posts like this seem like nagging or a waste of time but the first time your blog is hacked you’ll be kicking yourself for not taking action.