A massive Brute force attack on sites using WordPress as CMS is on.
With more than 90,000 servers, a huge botnet is attempting to enter into the sites with loose, common user names and passwords with WordPress as their CMS.
Some of the web hosting providers already emailed and warned their users using wordpress and asked them to tighten their security.
The new attack seems to be aware of the WordPress security plugin ‘Limit Login Attempts’ which disables the login functionality for every 4 failed attempts from same ip address. The attempt is coming from thousands of ip addresses and each ip trying to enter the admin area not more than twice for some period of time.
One of the way to tighten the security is to protect the login page itself thus making it to difficult to bots to enter the login page and then admin area.
Another way to do it is by creating additional user account with administration privileges and deleting default admin account, thus making it difficult to guess user name too as admin is the default user name for every WordPress installation.
There are many other ways to protect the site before it gets vulnerable.
Contact your hosting provider for a good solution and make your website safe from the attack.