Hi . When someone tries to login to my site with combination of username and password , There is vulnerability . for example, when attacker enters incorrect username the error appear ( ERROR: Invalid username. ) and when he enters correct username and incorrect password the error is (ERROR: The password you entered for the username example is incorrect ) .That will make easier for the attacker to find out the correct username . My suggestion is to make login error ( incorrect username or password ) even if attacker enters the correct username .