You can use something like this code in your functions.php (this is what I use on one of my sites):
// Modifies the error message when login is done incorrectly, in THIS case removes the 'forgot password' link in the error message by changing the text
function login_error_override() {
return '<center><strong>Oooooh.....<em>SO</em> close, but<br />....no soup for you!</strong><br />Those are the incorrect login details.<br />Please contact the Site Admin via our Contact Page for help.</center>';
}
add_filter('login_errors', 'login_error_override');
// Removes the lost password LINK from login form page and replaces with new text
function remove_lostpassword_text ( $text ) {
if ($text == 'Lost your password?'){$text="If you\"ve forgotten your password, please contact the Site Admin via our Contact Page, thanks!';}
return $text;
}
add_filter( 'gettext', 'remove_lostpassword_text' );
// Changes lost password URL to send clickers to our Contact page
add_filter( 'lostpassword_url', 'wdm_lostpassword_url', 10, 0 );
function wdm_lostpassword_url() {
return site_url('/contact/');
}
// Redirects user back to login form instead of following lost password action
function disable_lost_password() {
if (isset( $_GET['action'] )){
if ( in_array( $_GET['action'], array('lostpassword', 'retrievepassword') ) ) {
wp_redirect( wp_login_url(), 301 );
exit;
}
}
}
add_action( "login_init", "disable_lost_password" );
This ALSO removes the username from the error message, so that hackers don’t know if they’ve guessed a valid username or not, it’s a small thing but helps.