What are the best practices for handling user authentication and login attempts in PHP applications to ensure security and usability?

// Example code snippet for secure user authentication and login handling in PHP

// Validate user credentials
if ($_POST['username'] && $_POST['password']) {
    // Check if username and password are valid
    if (isValidUser($_POST['username'], $_POST['password'])) {
        // Set session variables for authenticated user
        $_SESSION['username'] = $_POST['username'];
        // Redirect user to dashboard or home page
        header('Location: dashboard.php');
        exit();
    } else {
        // Increment login attempts and lock account if necessary
        incrementLoginAttempts($_POST['username']);
        // Display error message to user
        echo 'Invalid username or password';
    }
}

// Function to validate user credentials
function isValidUser($username, $password) {
    // Implement secure password hashing algorithm (e.g. bcrypt)
    $hashedPassword = password_hash($password, PASSWORD_BCRYPT);
    
    // Check if username and hashed password match in database
    // Replace this with actual database query
    if ($username === 'admin' && password_verify($password, $hashedPassword)) {
        return true;
    } else {
        return false;
    }
}

// Function to increment login attempts and lock account if necessary
function incrementLoginAttempts($username) {
    // Implement logic to track login attempts and lock account if necessary
    // For example, update database with login attempts count and lock status
}