Optionally filter ALL login errors
-
Currently, if the option “Don’t let WordPress reveal valid users in login errors” (loginSec_maskLoginErrors) is enabled, it will catch login errors of the types ‘invalid_username’ and ‘incorrect_password’ (lib/wordfenceClass.php, Line 1083). This allows for the existence of a user to be leaked when the error is a different type which some plugins (Including the dual-factor auth section of Wordfence) will set.
Could this option be updated or a new option added to replace all login errors with a generic message?
I think that removing the
get_error_code()
checks from lib/wordfenceClass.php, Line 1083 would do the trick.
Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
- The topic ‘Optionally filter ALL login errors’ is closed to new replies.