Matt Mullenweg reported the following:
Here are two quick steps to avoid unnecessary risks:
Turn off user registration
This one is simple. Just log in to your administrator screen and visit the “General Settings” screen (listed under Settings) and make sure the checkbox labeled “Anyone can register” is not checked.
Block access to your blog’s admin area
This can be accomplished with simple authentication.
If your site runs on Apache, you can create an .htaccess file in your
/wp-admin/ directory to require authentication before the page is displayed. This post provides the necessary steps.