How to deal with this?
1) We have to tell WordPress a different error message on a false login
First we add a filter to the authentication and within that filter we change the error report status.
Instead of “invalid password” we return “invalid username” and thus misleading the wordpress system so it removes the username from the login screen when either a incorrect password or username is entered.
To accomplish the trick you have to add the code below to the theme functions.php
The only difference to the original wordpress code is that we tell the login-screen that although we have a incorrect_password that we have a invalid_username. And that is exactly the only change we make to the error code returned (below is a image with the original and changed code to explain the trick).
Note : The original code is located in the \wp-includes\user.php starting around line 71.
2) Change the error notifications so they don’t reveal information.
Changing that error code alone however is still not enough. WordPress still reveals the correct username by the error message it presents on return and thus giving the attacker just enough information he needs to discover a valid username. So altering the error message to a message that does not reveal any information is advisable.
We have two ways todo this, either we remove the complete message (solution 2a) or we change the message into a generic one (solution 2b).
2a) Removing the default login error messages.
This requires to add this filter to your theme functions.php
2b) Changing the login error messages both into a generic one.
For changing the login error-message to a generic requires to add this filter to the theme functions.php
3) Optional you can hide the remember me checkbox from the wp-login form
The next step is to hide the remember me checkbox from the loginscreen for which you need to add this to the theme functions.php
Now let us put all into a plugin.
Of course you can create a plugin with all these code changes in it. Create a php file from the code below and upload the plugin into a subfolder of the wordpress plugins folder.