A botnet controlled by bad guys is doing a brute-force attack on WordPress sites, apparently via the former default “admin” administrative account. My hosting provider offers these instructions on how to avoid this particular issue:
Until a couple of years ago, the default/starter account on every WP site was named “admin.” That’s no longer true, but there are still a lot of sites out there with an account called “admin.”
There is currently a large-scale botnet-driven attack going on that is trying to brute-force its way into WP sites by guessing passwords on the “admin” account.
Visit the Dashboard of each of your WordPress sites, click on Users, and make sure none of the accounts are called “admin.” If you find any, please make sure you have another account with Administrator privileges, then log in with that new account name and delete the account named “admin.”
While you’re in there, please take the opportunity to make sure you’re using a good strong password, and to update WordPress itself and all of your plugins.
UPDATE: Ars Technica has a deeply reported piece on this attack, with some excellent additional advice. I’m installing two plugins Ars recommends, one to limit login attempts and another that is a popular security add-on.