In the failed redirect, add a url parameter like: "user_login.php?failed"
Then you can display a message based on that value existing using the Utility Server Behavior for "Show Region IF"
The trigger would be:
<?php (isset($_GET["fail"])?"1":"") ?>
Or you could just add the simple IF statement by hand like:
<?php
if (isset($_GET["fail"])) {
?>
Your login credentials were not correct, please try again.
<?php
}
?>
You could use security assist rules and the security assist show if server behavior for this, but it is so simple it is probably overkill. You would use the same concept though and create a rule to allow if the URL Parameter "fail" exists and name the rule and then use that rule for the display of the region on the page.