Hackers and bots are more prevalent than ever. It is vitally important you protect your WordPress install from every type of potential attack.
One simple way hackers attempt to get into your install is via the login form. Most people stick with ‘admin’ as the default username for their admin account. This is bad.
Already, you have potentially given up half the security you should have. They only need to guess or run a script to solve your password and they’re in. You should always rename your admin username to something other than ‘admin’.
One small gripe with WordPress is that when logging in, if you get the username correct but incorrect password, WordPress error messages tell you which one is wrong. This gives hackers the knowledge that they have the correct username. All that’s left is your password.
You can hide this message, hiding the confirmation that they have the correct username or password, by simply adding this little snippet to your functions.php file:
// PRO - Remove error message on login screen - for added security add_filter('login_errors',create_function('$a', "return null;"));