[socillion]

"...the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords."

I'm a little surprised that such a simple attack vector is a legitimate threat in creating a "super botnet."

[forrestthewoods]

4.7% of users have the password password;

8.5% have the passwords password or 123456;

9.8% have the passwords password, 123456 or 12345678;

14% have a password from the top 10 passwords

40% have a password from the top 100 passwords

79% have a password from the top 500 passwords

91% have a password from the top 1000 passwords

http://xato.net/passwords/more-top-worst-passwords/

[minimaxir]

On older Wordpress installs (pre-3.0 I believe), you couldn't change the username of the first user from "admin" when setting up a blog, and you had to manually change it later. Yes, it was stupid.

[FuzzyDunlop]

I remember having to perform some magical incantation to actually pull that off around then. Set up WP, log in, create new user, set it as admin, log in as the new user, try to delete the admin account, log back in as admin because you forgot something, log in as the new user again, actually delete account.

No wonder everyone stuck with 'admin'.