Customizing login message

You can use a variation of this code to change invalid login messages (adjust the message to your needs; but see note below):

add_filter('login_errors', function ($error) {
    global $errors;
    $err_codes = $errors->get_error_codes();

    // Invalid username.
    if (in_array('invalid_username', $err_codes)) {
        $error="<strong>ERROR</strong>: Sorry, that is incorrect.";

    // Incorrect password.
    if (in_array('incorrect_password', $err_codes)) {
        $error="<strong>ERROR</strong>: Sorry, that is incorrect.";

    return $error;

In regards to the message, I have specified a more ‘secure’ message – one that will describe the problem, but won’t give hints to a hacker trying to enumerate user IDs.

You should also block excessive login attempts.