wp-login.php doesn't have a nonce. Ideally, this would be a proper nonce that is only usable once (stored in the object cache or the database), even though that would add overhead to the login process and require the page to be uncached.
Nonces are a best practice for forms. In addition to preventing CSRF attacks, they can help mitigate brute-force attacks by at least slowing them down. Further, since WordPress-focused bot networks don't expect there to be a nonce, adding nonces is low-hanging fruit that will instantly protect against the most common attacks.
Description
wp-login.php doesn't have a nonce. Ideally, this would be a proper nonce that is only usable once (stored in the object cache or the database), even though that would add overhead to the login process and require the page to be uncached.
Here is a plugin that provides a reasonable starting point.
Use Case
Nonces are a best practice for forms. In addition to preventing CSRF attacks, they can help mitigate brute-force attacks by at least slowing them down. Further, since WordPress-focused bot networks don't expect there to be a nonce, adding nonces is low-hanging fruit that will instantly protect against the most common attacks.