This is a pretty sensible piece of advice. On most WP installs, "admin" is the default user name; if you want to hack a blog, it's a good place to start guessing. Which halves the security of the username/password combo, because only the password has to be guessed.

So when you're setting up a new WordPress blog, pick something other than "admin" for your user name. But what do you do if your existing blog is has "admin" for a username? Unfortunately, WP doesn't have an easy way to change a user name. You can do it through PHPMyAdmin, but a couple of people I know have managed to lock themselves out of WordPress altogether trying that.

The easiest way is to create a whole new administrator through WP's admin:

• From Users > Add New, create a new account. Pick a strong password. You'll need to use an email address that hasn't been used for any other user of your blog. Assign the new user the role of Administrator.
• Sign in as the new Administrator.
• Assign all of admin's posts to the new user: from Posts, choose Bulk Actions > Edit from the dropdown menu at the top. If you have a lot (pages and pages) of posts, you can reassign them automatically as part of the user deletion routine, but I always feel much safer moving the posts first!
• Go to Users > Authors & Users, and choose delete for the user "admin".
• If "admin" has any posts left attributed to them, you'll see the message shown below; assign all of admin's posts to your new user ID.

One other note re. comments: reassigning posts to a different author will break some minor features in comments. My gravatar stopped showing up (even though my new ID's email address was also registered with gravatar.com) and CSS that I had to highlight the comment as being by an author no longer highlighted my comments. The only way I found to fix this was through PHPMyAdmin, changing wp_comments table's user_id from my old ID number to my new one.

The above routine will remove "admin" as a user of your blog and help to keep your WordPress a little more secure. It should go without saying that this isn't enough: there are other things you should be doing, primarily keeping your install up to date.

1. odd additions to permalinks - "eval" and "base64_decode". Your blog's permalinks will no longer work.
2. a new administrator account, perhaps named Administrator (2), created but not by you. This can happen even if registration is turned off on your blog.

If you haven't upgraded, DO IT NOW. As of today, you should be running version 2.8.4: check your dashboard. If it has any number lower than that, you need to upgrade. If you're using a version of WP higher than 2.7, it's as simple as clicking that nagging link on your dashboard; it takes less than a minute. So just do it. And if you need more detailed instructions for upgrading from pre-2.7, here they are.

If you've been hit with this already, then copying your posts and comments into a completely clean installation of WordPress seems to be the best way to deal with it. Simply upgrading now will most likely not deal with this (hackers know how WordPress upgrades work, and make the compromised files ones which are not over-written in an upgrade). Smackdown has more advice.

I'm going to say too, I'm pretty shocked by the attitude of some people: Weblog Tools Collection's comments have some who are saying they won't upgrade. If you take that line, frankly, you deserve what you get.

Update: one of the tricks this worm apparently uses is to use javascript to hide the existence of the extra administrator account within WP admin. If this is happening, you can look directly in the database (e.g. via PHPMyAdmin). Check wp_users (your blog may have a different prefix): if you normally only have one user, you'll easily see if anything's been added. If, however, you have a lot of registered users, you'll want to list out administrators and make sure they're all legit. Dougal Campbell has more details on this.

A word also about what this upgrade is for. Late yesterday (if you're in my time zone), a vulnerability was discovered: it was possible to generate a new password on WordPress, even if you had no back-end access to the blog itself. A specially-crafted URL would allow anyone to reset the password on any WP blog; the new password created by the WordPress installation would then be emailed to the email address associated with the admin account (so the person doing the mischievous resetting would never actually see it). This morning's release stops this happening.

Though some people on Twitter were calling this "a huge security hole in WordPress", that's rather overstating the case. As the official WP blog puts it, it "doesn’t allow remote access, but it is very annoying." (Unless of course your email were compromised; then you might have more of a problem.)

Nevertheless, this is probably a good day to read WPTavern's excellent 5 WordPress security tips you most likely don't follow.

If it's not there already, over the next few hours a link to upgrade should appear on your WordPress dashboard: not everyone sees it at once, but when you do, please click it. If you're running a version of WordPress that's older than 2.7, you'll have to (and should) upgrade manually.