Title: Security risk? Last modified: August 19, 2016 --- # Security risk? * Resolved [Steven](https://wordpress.org/support/users/spstieng/) * (@spstieng) * [16 years, 4 months ago](https://wordpress.org/support/topic/security-risk/) * A former colleague which is pretty up to date on security issues, told me that I should change the error message when a user tries to log in and the user types the wrong password. * Today the default error message is: `ERROR: Incorrect password.` * The problem with this, is that you are confirming correct username, thus making it a lot easier for brute-force generators to guess the password. * Much better error message would be `ERROR: Wrong username or password`. * But where in WP can I change this? And how can I maintain the change when I update WP later on? Viewing 1 replies (of 1 total) * Thread Starter [Steven](https://wordpress.org/support/users/spstieng/) * (@spstieng) * [16 years, 4 months ago](https://wordpress.org/support/topic/security-risk/#post-1367194) * Ah…. after a bit more Googling I found this solution: [http://www.wprecipes.com/wordpress-security-hide-login-error-messages](http://www.wprecipes.com/wordpress-security-hide-login-error-messages) * ``` // Remove default error message and replace with custom error message add_filter('login_errors', 'login_error_mess'); function login_error_mess() { return 'ERROR: Invalid username or password.'; } ``` * Adding this to my custom plugin, WP updates will never overwrite this. Viewing 1 replies (of 1 total) The topic ‘Security risk?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 1 reply * 1 participant * Last reply from: [Steven](https://wordpress.org/support/users/spstieng/) * Last activity: [16 years, 4 months ago](https://wordpress.org/support/topic/security-risk/#post-1367194) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics