There is an ongoing WordPress brute-force attack that is affecting a large number of providers. CloudFlare has made a blog post about the issue and has reported that the attack is coming from upwards of 100,000 individual IP addresses or systems. Many providers have had entire servers taken offline and accounts compromised as a result of this ongoing attack.
While we haven't had any servers go offline as a result of these attacks the larger issue comes as a result of any compromised WordPress installations that may result from this attack. Should your WordPress installation be brute-forced successfully, the attacker could upload malicious files to your account to include your account in this attack, future attacks, or worse. They could view all of your data, delete your data, modify your data, etc.
One basic step that can be taken to protect your WordPress installation and your account with us, is to make sure that you are not using the default username of 'admin' for your WordPress administration. This is the default username for a new WordPress installation. WordPress does suggest changing this username as a method of security through obscurity.
As a result of this attack we've chosen to take a step that we would not ordinarily take, and that is to change the log-in username of any WordPress installation where it is currently 'admin'. This not only will help keep your account secure from this attack, but also from all possible future brute-force attacks on your WordPress installations while still allowing you full access to your WordPress administration via the new username. Keep in mind that if you've already changed your administration username to something other than 'admin' or you use an alternate username to log-in to your WordPress administration - this change will not affect you.
In the interest of keeping your WordPress installation secure, and keeping the username obscure from potential attackers we are not going to include the new usernames into this post. We are going to be sending out a mass mail to all of our customers advising you of the change and what the new usernames are. We are making this post on our forums as well as cross-posting it on our FaceBook Page, and our Twitter Feed to help ensure everybody is aware of this change.
If you have any questions about this, you are welcome to ask them here if they are generic in nature. If your questions are specific to your account, do please open a support ticket and a member of the senior staff will answer your questions concerning this.
Update regarding WordPress Network/MultiSite:
An issue has come to our attention regarding WordPress Network Installations (formerly WordPress MultiSite). If you were previously using the default 'admin' log in to access all of your WordPress network sites and can no longer access other sites in your WordPress network with the new username, please open a support ticket so can verify the issue and correct it for you. When opening the support ticket, please be sure to include the URL to access WordPress, and if possible, the WordPress database name.
Do not reply on our forums to request assistance with this issue. A support ticket is required to protect the privacy of your information.
Edited by MikeDVB, 20 June 2013 - 01:12 PM.
Added updated regarding WordPress Network