I got the following warning from my web hosting company, and just wanted to give everyone a heads up.
Defending Against Global WordPress Brute Force Flood
There has been a massive distributed brute force attack being launched the past few days against every WordPress based website at every hosting provider on the Internet. Over 100,000 different IP addresses are currently attempting to guess the admin user's password in every WordPress site. By default, WordPress cannot protect itself against this type of attack, but you can protect against this attack by following the tips in this email.
Here are the most critical steps:
1.Update WordPress to the latest version using the update function in the WordPress admin section.
2.Install the "Better WP Security" pluggin in WordPress. This will add brute force detection and auto-blocking, and it will make it easy to make additional security related improvement to your WordPress site.
3.Click on the Security tab in the WordPress admin to tweak the security settings.
4.Change the admin username to something else (since the hackers are trying to guess the password for the WordPress admin account).
5.While you are tweaking security, change the WordPress table prefix, the user id 1, and some of the other items listed in the Security tab. These things are not related to this current wave of brute force attacks, but these are generally good security ideas that will likely help against future attacks.
6.Remove every theme and pluggin that you are not currently using. Leave only the "Better WP Security" pluggin if you can. Fewer themes and pluggins will mean fewer things for hackers to target in the future.
7.Choose a really strong password for your admin level user. Long, completely random jumbles are the best, because they cannot be quickly guessed in a dictionary attack. Don't use plain English words. Remember, 20+ character random jumbles are drastically more secure than simple passwords like "qwerty" or "password123". Even after you have changed the admin user's username, it is still important to take password complexity seriously.
If you are using WordPress in your websites, please follow these security tips and pass these security tips on to all of your friends.