Hi @pattycake, thanks for getting in touch,
At present, the email address associated with a valid username can’t be separately considered invalid.
An email address or even WordPress username being exposed isn’t generally considered a security issue, even by WordPress themselves: https://make.ww.wp.xz.cn/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue
The best protection is to make sure all admin accounts and those with high level access use a very strong password and, ideally, two-factor authentication to ensure the login attempts don’t succeed. We recommend using a password manager to store and/or generate long complex passwords that are exceedingly difficult to brute force.
If there are a large amount of login attempts coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Login Security > Settings page.
Generally speaking, it’s time consuming and not necessary to implement a manual blocking regime as Wordfence will do all the important blocking for you. You can by all means decrease the amount of login attempts allowed and increase block/lockout times in your Rate Limiting and Brute Force settings to hours, days, or even months to see if this reduces the noise.
Many thanks,
Peter.
