yes and no.
Let's start with Joomla. Joomla, by default, is not vulnerable as WordPress to user enumeration. However, if you have user registration enabled, the attacker can try to create a new user with some strange email address (so he will be sure it doesn't exist) and iterate over a list of well known username. In that case Joomla will trigger an error if the user actually exists. This is something doable, but it's not so trivial.
You can easily mitigate this by disabling user registration if it's not needed and user non-trivial usernames for Super Users (for the love of God do not use admin).
WordPress is a different beast: you can easily enumerate all the usernames by simply providing the wrong password. If the user exists, WordPress will say something like Incorrect password for user XXX, while if the user doesn't exists it will say Invalid user account. As you can see it's trivial for an attacker to enumerate all the users.
However Admin Tools in this case can protect you. First of all, you can block users failing to provide the password several times; moreover it can change the "wrong password" message so it will remove the username from the alert.
Hope this helps.
Developer and Support Staff