This is not theme related.
Overall, the best way is to never use an admin account for posting – create separate user account for your posts.
Then you can use .htaccess file in the wp-admin dir to allow only connections from selected IP addresses, this way bad guys will not ever get to the important stuff/
You can also check these plugins:
https://wordpress.org/plugins/display-name-author-permalink/
https://wordpress.org/plugins/Hide-Username-Front-Side/
I found info about them in:
https://athemes.com/forums/topic/remove-author-link-reveals-wp-login-name/
https://wordpress.stackexchange.com/questions/5742/change-the-author-slug-from-username-to-nickname#answer-6527
Another related info:
WordPress’ handbook has a section on reporting security vulnerabilities that explains why disclosures of usernames or user IDs is not a security issue:
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.
WordPress Core Security Team Lead Aaron Campbell clarified this section of the handbook to confirm that the users endpoint is intended to be an open API endpoint that serves public data.
“It does in fact include usernames and user IDs (among other things) for users that have published posts in a post type that is set up to use the API, but all the data is considered public,” Campbell said.
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue
