The success of this sort of attack has almost nothing to do with the security of WordPress itself and everything to do with the behavior of WordPress users. In principle, username and password combinations are a very safe way of securing a site. In practice, people don’t understand how to use passwords properly and value convenience over security. If they can get away with having “pa55word” or an equally guessable combination as their password, many will.
We can rail against this sort of complacency all we like, but as responsible site owners we just have to accept lax password security as a part of the landscape. Education helps, but not much; we need to implement other mechanisms for ensuring that our sites don’t fall when the botnets come knocking.
Usernames and passwords work because the number of possible combinations is enormous. For a sufficiently long, complex, and random password, it would take even the most powerful computer many years to hit on the right combination. For a sufficiently simple password, it can take fractions of a second. If users aren’t willing to use random and complex passwords, the solution is to implement another verification mechanism — a second factor – that will ensure the chances of guessing a valid combination remain remote.
There are various ways of implementing two-factor authentication — biometrics such as fingerprinting are one, but that’s more complex to implement than the method I’m about to suggest, one-time passcodes.
Unlike a password, a one-time passcode works for a short amount of time, usually about 30 seconds. The TFA service and the user share a secret — frequently a long string of numbers — which is used in combination with the time to create a unique passcode known to the TFA service and the user without it ever having to be communicated between them. It’s much safer than using passwords alone and because the choice of passcode isn’t up to the user, they can’t circumvent security by using an easily guessable combination.
The typical scenario would go as follows: the user wants to log in to your WordPress site. They enter their username and password, after which they are asked for a further passcode. They will have an application from the TFA service provider installed on their smartphone or a dedicated device, which will generate a passcode that can only be used for a short time. When they enter the passcode correctly, they are logged in.
There are a several good TFA services that integrate well with WordPress, but I’m going to suggest you take a look at two: Duo Security and Authy 2FA.
If you run a multi-user WordPress site, particularly if you have several admin users, implementing two-factor authentication will make it almost impossible for casual brute-force attackers to successfully breach your site. It’s well worth the minimal effort to avoid the risk of becoming a vector for malware or a hacker’s playground.