@wedi Knowing your username or even discovering your username is not a security risk in any sense of the word. Some people think that knowing a username is like 50% of what you need to log into a site, but the truth is that it is not a security token of any sort.
I can explain this quite simply. Let’s assume that your theory is correct and that usernames should be secret. So, you need two secrets to log into your site: the secret username and the secret password. Now, two is more than one so that’s more secure, right? So, why not just have a normal non-secret username field and two password fields? Hey, they still need to know two secrets, so sure, more secure. Username + password1 + password2. In fact, why don’t we simplify the whole situation, and just have them put both passwords into one field, like “password1password2”? Much simpler to have one field, and now we’re more secure. /s
The reality is that having multiple secrets is no different than having only one secret, because *the secret password can be of any length*. If somebody is choosing bad passwords, then the way to address that is to educate them to choose good passwords.
WordPress addresses the bad password problem by using a different approach for passwords. When you choose a new password or set up a new account, WordPress does not ask you to enter a password, it generates a secure one for you. If you then type in your own password instead, a checkbox pops up that confirms that you want to use a bad password, and it won’t let you go on without checking that box. Basically, WordPress’s approach is to use good passwords by default and force the user to recognize when they’re doing something bad instead. This is a much stronger approach than the typical “type your password twice” method most systems have.
As for brute-force prevention, if you are getting the hits to your access logs at all, then you’re already in trouble. Brute force attacks need to be stopped upstream, before the PHP code is ever executed. Because the main problem caused by brute force attacks is resource depletion. You only have so much processing power and network bandwidth, if you’re getting traffic for these attacks, then you need to stop the traffic itself, not just prevent it from getting lucky. Them knowing the username is not your problem, them getting their spam traffic to execute your code at all is.