1. There is a problem with WordPress that no time limit is provided for auto-logout regarding inactive users. It seems anybody can be on in days!
2. Even if a user closes the browser or the computer goes in standby status, the user is still logged in when the browser is opened or the computer is waken up again.
3. When login is unsuccessful, WordPress tells the user or a hacker exactly what is wrong. Username or the password which makes it much easier for anybody to continue hacking the account/site.
Please Please do something about these issues in your next update!!!