su allows you to switch to another user (typically root). Unfortunately, your users can attempt to guess the root password this way. You can limit which users can attempt to switch to root and therefore make it harder for to guess your root password.

You can configure PAM to require that a user be in the wheel group in order to su to root. To do this, you need to uncomment (or add) the following line to: /etc/pam.d/su

To uncomment it, just remove the # at the beginning of the line. If you don't see this line, add it before any line that starts with session.

This change takes effect immediately. Just make sure to add any user you want to give the ability to su to root into the wheel group.