WordPress.org

1. spstieng
   Member
   Posted 2 years ago #

   A former colleague which is pretty up to date on security issues, told me that I should change the error message when a user tries to log in and the user types the wrong password.

   Today the default error message is: ERROR: Incorrect password.

   The problem with this, is that you are confirming correct username, thus making it a lot easier for brute-force generators to guess the password.

   Much better error message would be ERROR: Wrong username or password.

   But where in WP can I change this?
   And how can I maintain the change when I update WP later on?

2. spstieng
   Member
   Posted 2 years ago #

   Ah.... after a bit more Googling I found this solution: http://www.wprecipes.com/wordpress-security-hide-login-error-messages

   // Remove default error message and replace with custom error message
     add_filter('login_errors', 'login_error_mess');
   
     function login_error_mess() {
       return '<span class="error"><strong>ERROR: </strong>Invalid username or password.</span>';
     }

   Adding this to my custom plugin, WP updates will never overwrite this.

Topic Closed

This topic has been closed to new replies.