ERROR: The username or password you entered is incorrect. Lost your password?

  • Resolved anonymized-17115093

    (@anonymized-17115093)


    6 years ago

    This is unbelievable and completely undermines the trust in the plugin to protect! Some people to deal with the problem disable some features – you’ve made it happen. For example, when you disable the option (in Wordfence / Brute Force Protection): Don’t let WordPress reveal valid users in login errors everything works properly but security is lower. It’s just a shame! We were supposed to invest in licenses for this plugin for over 50 pages, and we read about things where you can’t solve simple problems for 2 years!

    • This topic was modified 6 years ago by anonymized-17115093.
Viewing 1 replies (of 1 total)
  • Plugin Support wfphil

    (@wfphil)

    6 years ago

    Hi @7dotmarketing

    Lets say my username is XXXX and the option Don’t let WordPress reveal valid users in login errors is enabled.

    If I try to login with correct username the the message that Wordfence generates is:

    ERROR: The username or password you entered is incorrect. Lost your password?

    The hackers does not know if that tested username is correct or not.

    If I now disable the option Don’t let WordPress reveal valid users in login errors and try to login the the message that Wordfence generates is:

    Error: the password you entered for the username XXXXX is incorrect. Lost your password?

    The hacker now knows that the username XXXXX is the correct username and makes a brute force login attack a lot easier.

    The point that you are missing is that WordPress generates the message above if you disable our option, Wordfence does not generate that message.

    Currently WordPress does not consider the leaking of usernames to be a security issue that you can read about here:

    https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

Viewing 1 replies (of 1 total)

The topic ‘ERROR: The username or password you entered is incorrect. Lost your password?’ is closed to new replies.

  • 1 reply
  • 2 participants
  • Last reply from: wfphil
  • Last activity: 6 years ago
  • Status: resolved