Turn on "password reset protect" and it will require "either the phone number or email address associated with your account in order to reset your password". I'm not sure it adds a ton of security, but it definitely cuts down on the password reset emails.
I personally know someone with a two letter twitter handle that is a word in the english language, for awhile there they were inundated with password request attempts, but it took knowing someone 1-1 inside of twitter security in order to put additional locks on their account, beyond what any config will show unfortunately.
