The greatest hack focus on a WordPress site seems to be trying to log in with
the default username “admin”. This plugin detects all login attempts with that
username and exits with a 403 Forbidden header. This should eventually
discourage login bots from continuing to pound your site.
All attempts are logged inside the /wp-content/plugin-data folder, just in case
you need the info. Logs are kept for up to 30 days.
- Create a unique administrator account, if necessary.
- Assign all admin posts to this alternate administrator account.
- Delete the default admin account.
- Alternatively, use a plugin or database access to change the default username.
- When there’s no longer an “admin” user, just upload, install and activate.