When you install WordPress the default user name is admin, this is something you should try to avoid.
Most hackers try access your site via wp-admin or the wp-login.php page, and they know that the most common username out there is admin. They try a combination of passwords; this is commonly known as a brute force attack.
But not only should you not use admin, best practice also dictates that the database User ID should also change, when you install WordPress it assigns the first login to the ID of 1. Hackers will also know this and will determine your login name via the User ID.
What we try do when developing or installing a new WordPress website is:
For an existing site you can basically follow the same procedure as above, but just make sure you transfer any post or pages, don’t worry WordPress will ask you.
With a brute force attack, hackers try multiple password combinations in a row to try and get the right combination of password. What you should try and do is ban users that have more than 5 incorrect passwords in a row.
We ban a user for 10 minutes, if they have five incorrect logins in a row.
So if there is no user on our WordPress install that uses admin, why not just ban anyone that tries to use admin as a user name. This I find is a nice quick way to stop a lot of unwanted access to your system.
Some plugins we use to protect our sites.
Follow all our tips and tricks for WordPress, our goal is to help you reduce the risk on your WordPress website, and following the tips will greatly reduce your sites exposure.