There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their variations. Using this method the attackers are gaining access to your admin to send spam from your web site, deface your pages, or inject malicious code into your WordPress installation.
Your first line of defence against these attacks is changing the admin username to something other than the default “admin” and creating a strong password that is hard to guess even for a bot.
Lorelle VanFossen explains how to create a strong password that is not terribly long and is easy to remember. Her technique is a little unconventional, but stick with her through the article and you will end up with multiple passwords based on the same word