I'm just wondering whether it makes sense to hide the super administrator from the user page (or at least to change the information about the role to something unsuspicious) and/or to remove the profile page so that it would be harder for attackers to guess the username - password combination. I know this recommendation from Wordpress installations and according to my own experience these attacks indeed first try default admin names. Q2A doesn't seem to have a default admin name, but it could be easily retrieved by scanning the user profiles.
I am aware of the option to allow only email addresses for login, but this would probably affect all users, not only the admin. Another option would therefore be to allow for admin login only the email address (while allowing also usernames for other users).
The question might possibly also be relevant for editors etc.