By default on failed login attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which usernames are active on your system and then use brute-force methods to hack the password.
The solution to this problem is simple. Whether user enters wrong username or wrong password we always tell him “wrong username or password” so that he doesn’t know which of two is wrong. Open your theme’s functions.php file and copy/paste the following code:
function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login');
If you are concerned about WordPress security on your site, we encourage you to follow the full set of tips on our WordPress Security page. And get in touch if you need help with protecting your site from hackers.