Per this PhysOrg story:
Sources from several Web hosting services this week raised an all-out alert: WordPress was under attack with at least 90,000 IP addresses involved to brute-force crack credentials of WordPress sites. The attacks, they said, are worrying in that they are on an unusually large scale, being described as “superbotnet” level. Among hosting providers detecting such attacks were CloudFlare and HostGator. “The attacker is brute force attacking the WordPress administrative portals, using the username ‘admin’ and trying thousands of passwords,” Matthew Prince, CEO of CloudFlare, said in an April 11 blog posting.
The story makes it sound as if it’s only a problem for WordPress.org users (computer savvy people who download WordPress software and then develop their own stuff), not us lazy folks who use the easier blogs available at WordPress.com.
However, it’s apparently also important to us because WordPress is offering us a security measure, too.
First off, change your user name if it’s “admin”! (Hard to see why it would be on a WordPress.com account, but still . . . . )
Next, consider setting up two-step authentication.
Your WordPress.com account offers two-step authentication now, either with smartphones or other cellphones (SMS).
I’ve been using this on Google since reading about what happened to Mat Honan last year. It’s still easy to log in – just another quick step.
Whether you’re on Google or WordPress, once you turn this on (and you can easily turn it off again any time), you have to log in as you’re doing now and then wait for a code to arrive on your phone (applicable charges are your responsibility). You then enter the code and voila! You’re into your account as usual. Don’t know about WordPress yet, but the Google code stays in effect until you clean out cookies.
In case your phone is lost or stolen, be sure to generate backup codes, write them down (don’t store them on your computer or online), and keep them in a safe place you can easily find when you’re panicked because you just lost your phone somehow and need to get into your online accounts.
I like this because it lets you know if somebody is trying to hack your account. Yes, it’s costing money but only a little bit. It’s a bargain, considering the enhanced peace of mind.