Well this looks like it could be your problem
$query = " SELECT password FROM users WHERE username=?";
Your Query has one parameter in it for
username, but you are adding two parameters to the command.
$stmt->bindParam('username', $username, PDO::PARAM_STR);
$stmt->bindValue('password', $password, PDO::PARAM_STR);
Also... I surely hope you aren't saving passwords as plain text.