You can use a variation of this code to change invalid login messages (adjust the message to your needs; but see note below):
add_filter('login_errors', function ($error) {
global $errors;
$err_codes = $errors->get_error_codes();
// Invalid username.
if (in_array('invalid_username', $err_codes)) {
$error="<strong>ERROR</strong>: Sorry, that is incorrect.";
}
// Incorrect password.
if (in_array('incorrect_password', $err_codes)) {
$error="<strong>ERROR</strong>: Sorry, that is incorrect.";
}
return $error;
});
In regards to the message, I have specified a more ‘secure’ message – one that will describe the problem, but won’t give hints to a hacker trying to enumerate user IDs.
You should also block excessive login attempts.