This is the site hacking email Andrew had passed on…it’s long but has useful links…bottom line he says just make sure your WordPress users DO NOT have a user named “admin” & install the Limit Login Attempts plugin http://wordpress.org/extend/plugins/limit-login-attempts/
If you’re running a WordPress site, now would be a good time to ensure you are using very strong passwords. According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default.
Both CloudFlare and HostGator, as well as a number of other hosting providers, have taken measures to protect their customers. Besides choosing a very strong password – which is always a good idea – you can also install a number of WordPress plugins that limit the number of login attempts from the same IP address or network to put a stop to these brute-force attacks.
Sara (I think) also did mention the plugin BulletProof Security which uses an htaccess file for its security.