WordPress is a very widely-used blogging system and well known as entrance door. There ‘re tons of hacks, sources and tools trying to get access to the wordpress panel or the root system. There ‘re also tons of plugins trying to secure with changing the original wordpress code oder file names.
Why they doing this? Does it mean that the wordpress team is too stupid to develop secure code and blogging system? Or does it mean that the wordpress core as no secure? Anyway. I think it is a bad idea to let plugins or themes overwrite the original code. In an older blog entry I explained how I mount one wordpress installation from the port collection to all of my blogs. I’m using nullfs to mount it as read only directory. Plugins who try to overwrite or change original files will fail.
Back to the topic. First, a good idea is to secure the login attempts. I’m using https://de.wordpress.org/plugins/limit-login-attempts-reloaded/ and it works well. First step. I have to evaluate more plugins.