WordPress stopped auto filling in the ‘admin’ username on install a while ago in version 3.7, but that doesn’t mean someone can’t fill it in that way themselves. Here’s a screenshot that shows why this is a bad idea:

I get these bruteforce notifications multiple times a day. Here’s a few other usernames they like to try:

• demo
• adm
• toor
• user

toor? What the heck is that?