Security firms have been tracking an escalating number of "brute force" attacks against WordPress installations, which have been trying out logins such as "admin" and then running through thousands of commonly-used passwords to try to break in.