WordPress is a great platform for building websites but it's important that site owners keep WordPress site security up to date and take precautions to stay secure. A good starting point is to keep WordPress and associated plugins up to date.
One of the first things to do is ensure that you change your login username from the old default of ‘Admin'. Bots will routinely trawl the web looking for WordPress sites and using ‘Admin' as the login and try to crack the password.
Speaking of which, your password should be changed regularly and ensure it is unique and a hard one to crack, e.g. special characters, letters (upper and lower case) and numbers.
Usernames cannot be changed so you may need to create a new administrator account, login to the new account and then delete the old ‘Admin' account ensuring that you reassign that account's post to the new one. And breathe…
What else should be on your WordPress security checklist? You could consider the Sucuri plugin. I guess this is best described as a ‘wordpress security scanner‘.
Sucuri sends me email alerts when a bot has tried accessing as ‘Admin'; I monitor but that is pretty much it.
Yesterday was unusual as I started getting notifications with different username attempts on my personal website. They tried ‘Admin' but then changed to try other possibilities such as my name.
The IP address responsible for this happened to be located in China. I also use CloudFlare for my site and was able to block this IP there. CloudFlare offers a security service for websites as well as improves overall performance.
Ahead of blocking it from seeing my site (hopefully!), another plugin I recommend is ‘Limit Login Attempts' where you can set a max number of attempts before that IP is frozen out.
None of this is exactly fun but it does serve as a useful reminder for WordPress users of the need for security and vigilance.