It’s vital to stop using generic usernames such as “admin”, “administrator”, “root” or “test”. These are currently heavily targeted by hacker’s bots. If your WordPress username is generic, like “admin”, you’ve given away half of your login details. If you are using one of these, set up a new admin account, login with that and delete the poorly named account.
From the Development & Security categories Practice least privilege
Limit access permissions to your website's CMS to the minimum necessary. Grant only essential privileges to users, especially for administrative roles. This principle helps prevent unauthorized access and misuse.
