This article focuses on defending the administration area of WordPress, meaning all those pages in the wp-admin folder or http://www.yourblog.com/wp-admin/ that are displayed after a user a verified. We highlighted the phrase “after a user is verified” deliberately: it should be explicitly understood that only a simple query stands in the way of an evil hacker and the powerful admin area of your whole blog. The latter is only as strong as the passwords that are generated.
via 10 Steps To Protect The Admin Area In WordPress | Developers Toolbox | Smashing Magazine.