Default settings for WordPress leaves a new setup vulnerable.
Generally, hacked WordPress websites are more common.
A default install leaves the website with the username “admin” and password usually “admin”. If you’ve only changed the password this is not enough. A major flaw of the WordPress login page is that when you have the correct username the system provides feedback letting the hacker attempting to gain access know they at least have the username correct. Then only have to bombard the WordPress site until they get the correct password.
Servers are setup to detect this and will usually block the hackers attempts but these systems are not fail-safe and it is likely a hacker with use different IPs and mechanisms to allow many attempts at password.
- It is recommended that the username be changed from default “admin” to something random.
- A random password.
- Change the location of the login page.
- Upgraded WordPress security.