[jameskilton]

Do note that this doesn't fix the problem. The system (at least High Sierra) will happily re-enable the user for every attempt at logging in.

[LolWolf]

Just change the root password once the account is enabled; this fixes the hole.

sudo passwd -u root

It's sad we have to do this, though.

[tekacs]

If you disable the root user using `dsenableroot -d` from the Terminal, this seems to disable the account in a way that leaves its password intact.

[pwinnski]

The bug isn't in the disabling, it's in the auto-enabling on attempt.

[tekacs]

Having tested this by both approaches (disabling through GUI & shell), the above (through shell) seems to prevent this from re-occurring when you attempt to perform this bogus login again. Disabling the account via the GUI causes the failure to re-occur.