I woke up this morning to an alert from Wordfence that one of the administrators of a client's website logged in overnight from Istanbul Turkey. I know for a fact this particular gentleman is not in Istanbul right now.
How did this happen? A weak, easily guessable password.
There has been a dramatic increase in these Brute-Force attacks in the past few weeks. I logged 2500 of these attacks on just one of my websites in just one day. Almost all the IP addresses are from eastern bloc countries.
What To Do:
1. If you have not updated to the latest version of WordPress do so now. Version 4.3 and later have a new 'Change Password' function that can create strong passwords.
2. If you are not using WordFence or Sucuri.net do so now. The premium version of Wordfence has the ability to block entire countries, so if you have no reason to expect website visitors from outside the USA then block all non-US traffic.