Usernames should not be thought of as secret information. Changing from a common “admin” username will stymie many simplistic brute force attacks, but changing from “admin” is a form of security by obscurity. Marginally useful, but ultimately not real security. You need to rely on good, very strong passwords, not obscured usernames.
At a minimum, I recommend any plugin that restricts login attempts and locks out the user for a period of time after so many failed attempts.
If abuse is coming from a limited set of IPs, you could explicitly block those in .htaccess. This takes much of the burden off of the server, saving it from having to load all of WP to serve some bogus login attempt.
You might consider some of the other measures described in Hardening WordPress.
I’m in agreement with your comments. I have now read the official WordPress How to install WordPress article and see that it does not have any reference to changing the account. When installing, I had assumed the instructions were WordPress policy. I see that it is still proposed in the Hardening WordPress article you suggest.
The real concerns about the login attempts is that clearly user account information is leaked inadvertently although the safety of this is not a problem. What does concern me is whether any other information, that may be security related, is also leaked along the same (or similar) channels.
The Chinese login attempts have come from several tens of addresses so far. I don’t see how they can be stopped without dynamic address blacklisting. This may be too expensive for routine use.
My intent with the incident was to make available a recently installed system with minimal customisation that could be inspected to see where the leakage had occurred to permit improvement of the overall core.
If that is not of interest, I’ll mark this as resolved. Thanks for the response.
The real concerns about the login attempts is that clearly user account information is leaked inadvertently although the safety of this is not a problem. What does concern me is whether any other information, that may be security related, is also leaked along the same (or similar) channels.
Across the network of WordPress sites I manage, I see dozens of attempted logins using usernames that do not even exist and have never existed at all.
With billions of online user accounts having been pwned and floating around on the internet, unless your WordPress username in question is a totally random one that you don’t believe anyone else anywhere on the entire planet could have ever used on ANY website, I wouldn’t think of this as a leak from your own website — but more likely a credential stuffing attack.
The only personally identifiable information (PII) that a default WP site collects is user email. If someone comments, their IP address is logged. Their profile has fields for first and last names, but they are optional and there’s a separate field for what should be publicly displayed. Except through unauthorized, illegal access (successful hack), no PII is ever leaked anywhere AFAIK. As discussed earlier, usernames are not considered PII. If you’ve managed to discover a leak of PII, please use responsible disclosure.
