There is a massive brute-force attack on wordpress sites going on and they are exploiting sites that used “admin” as theeir login and are using software to “guess” the most common passwords.
Update all your plugins, delete unused ones and update your wordpress version. If you have unused themes, delete these as well.
If you use Admin is your login username, make sure you change it by following these steps.
1. Go to Users and create a new user with administrative access. Don’t use Common names and if you do add some characters and numbers.
2. Use a password generator to create your password and don’t use the name of your pet and a numbers as these are guessable by those bots.
3. Log out and login again with your new user id and delete the old one.
To update your security, add these plugins:
Login Lockdown – blocks IP addresses after they get the login wrong after a few tries.
Wordfence – this plugin includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers
Better WordPress Security This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched .