IIRC, my router actually offered to change the default admin password when I first logged in. I hear a lot about Buffalo routers being junk, but this one came pre-installed with DD-WRT and has worked like a champ since I first got it.
Mine allowed login with default on first login, then demanded I set a user and pass for access, not allowing me to move on to what I logged in for, until setting that up. And once set up, the default no longer works.
Yep. Most of 'em do. But they don't let ya change the username. There's a back door built in to most hardware - and a lot of software! - so that the vendor can tell you how to recover if you have a memory lapse - read, screw things up - and maintain their pristine reputation.
Mine is easy to bypass in that case, but only if you have physical access to the router. A paper clip in the back to reset it to factory defaults will do the trick, but there will be no normal internet access beyond the ISP's new user start page until you log in with your account, download and install their custom stuff, and set everything up again. So a name/pass is still required.
If you cannot change the Admin username, any hacker is halfway to cracking the system involved. Brute force and a decent dictionary can still resolve ninety percent of passwords when Admin is still a viable username.
In the case of Wordpress, it's not enough to not create the admin name as something else other than "admin" in the first place (Wordpress won't allow you to make a user name change later). You need to create at least a 2nd admin account and delete the first one, regardless of the user name chosen, or you risk getting locked out of your blog if it is attacked, and having to reset your password.
User ID 1 is the first created, first admin, and most targeted account, for things like SQL injections with the intent to change the password. If successful and the account name is "admin" then it's an easy in, without a brute force dictionary attack. They know the name (admin) and the password (they changed it themselves). If the account name is other than admin though, they don't have as easy of a time, but you still end up locked out.
If the account ID is something other than 1, it makes it a little harder, and you'll be less likely to end up locked out. Now they have to start guessing the ID, and maybe the user name too, since a default "admin" account no longer exists. Yes, there are ways to easily figure that stuff out too (in most cases), but it takes more time and is a bit more trouble, and unless the hacker is targeting your blog specifically, not as likely to happen, when there are so many other easier targets to hit with an automated attack.
There is a lot one can do to protect a wordpress blog, but people need to take the time to read and do the stuff required. A rough estimate of the time required to truly beef up the security on a WP blog is about 5 hours, if you have never done it before, and do everything
in this checklist
. Use the online version
if you don't want to go through the registration to download the pdf. It's always the most up to date. Registration gets you an email notice of any changes to the checklist, though, so once done, it's a good idea, any way.
And the first step in that checklist/tutorial is how to set up automation of backups, and how to have them automatically stored offsite is also covered at some point.