This is just an FYI for everybody here.
Last night, I received 9 emails from the Wordfence security plugin on one of my sites. The most important of my sites, in fact. I'll paste it here, with the site name redacted:
This alert was generated by Wordfence on "XXXXXXXXXX" at Thursday 19th of December 2013 at 09:16:38 PM
A user with IP address 126.96.36.199 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'root' to try to sign in.
User IP: 188.8.131.52
User hostname: 184.108.40.206.clbrz.inet.eastern-tele.com
I never use "admin" or "root" as my admin name when installing Wordpress. I have several types of security plugins installed. But this kind of hack attempt is still scary. And I didn't feel warm and fuzzy after contacting Bluehost about it. I emailed them just to alert them that my site was under attack, and I thought they might want to know, since I'm sure mine is not the only Wordpress site hosted there that's being hit right now. I got back a boilerplate "here's what to do if your site has been hacked" email. Obviously, no human ever read my email.
So, this post is just a warning: never use "admin" or "root" or some other generic word as your admin username, have a strong password, and use security plugins. There are other Wordpress hardening methods discussed at wordpress.org and on many Wordpress-oriented websites. Be safe out there!