Thanks for your replies, but the theory given by Ragzor doesn't fit the pattern that the hacker used.
He didn't try random user names, he targeted exactly the users that are registered on my site. Everything is logged, including passwords tried and such. There was no attempt on any non-existing user.
I have banned the IPs on server level, so there is no way he can try again. And I have automatic banning after 4 tries, so that's not a problem either.
What I consider strange with this hacker is that he have, without a doubt, access to all my users usernames. However, he don't have access to any passwords or such information.
Anyone heard of something like this before? Or is this a new way of hacking wordpress sites?
To prohibit leading you on the wrong way again, let me explain what counter measures are up on my site.
* Login limit (4)
* Anti virus
* Anti tamper
* No register of new users
* Site reports back all actions thru mail
* Logging of actions
* Server banning of brute force hacks thru IP
* Limited user rights (UAM)
* No user are allowed to see other users
* No user can communicate directly to other users
* No weak passwords allowed (except for lowest rank members)
* All themes are made by me, so no external code there
In other words, my WordPress site is pretty safe. Still, somehow, a hacker managed to target my users directly. Not even one letter or number was entered in error, except for the passwords.
He didn't have any clue what status the members have on my site either. Since he targeted mainly the onces that registered for commenting only.
There doesn't seem to be anything wrong with either the db or anything else on the site. The hacker didn't access any accounts and had no access to anything on the server.
Checking the IP logs of the server shows no former match of the IP on any registered user, so the hacker wasn't a registered user of any kind. According to the logs, he had never visited my site using any IP used while trying to hack the site.
I'm clueless about how he/she did this. But I'm not worried about my security. Still, I'd love to know how he/she managed to get the information without me knowing it. That's the question that eats me up.
Sorry for ramling, but I wanted to give you the situation as it is.