“US-CERT has issued an alert regarding the ongoing massive brute-force attacks against WordPress sites, warning users and administrators to keep their installation always updated and to change the username and password for their WordPress accounts – especially if they kept the default “admin” username and use an easy-to-guess, commonly-used password.
The attacks started the week before last, but picked up in full force late last week, and the attackers are simply scanning the Web for WordPress installations, then trying out some 1,000 often-used combinations of login credentials.”
Read more here:
You should not use the default “admin” user name and should employ a secure password. Also consider using plugins “limit access attempts” and sucuri.net malware scan / monitoring software.