I just tried to log into my client's WordPress, however the password was wrong. All well and good, the login failed as expected, however the system gave the following message:
ERROR: Incorrect password
If I give it an incorrect username, again your system politely tells me:
ERROR: Invalid username.
So, now I know why my client tells me the system is being constantly being broken into!
Do you guys developing WordPress NOT KNOW that you should NEVER indicate the exact reason for login failure?? The error should only say something like: "ERROR: Login failed, please check your username and password.
With the way you have it, a hacker can sit there guessing usernames until your system politely tells them they have a correct username and from there continue until they have the pass.