Here's a minor suggestion for the WP team:
WP's error messages are a bit too helpful with incorrect logins. If you type in an incorrect username, WP outputs "Error: Wrong login". This is fine so far.
However, if you type the wrong password, you get a different message, namely "Error: Incorrect password". This means that a possible attacker can be certain that they have correctly identified a valid user and can focus on working on finding the correct password.
What I'd suggest is that, following the login patterns of other programs and sites, is that a generic "incorrect login detail" message should instead be used.