WordPress login insecure (4 posts)

  1. Backslider
    Posted 6 years ago #

    I just tried to log into my client's WordPress, however the password was wrong. All well and good, the login failed as expected, however the system gave the following message:

    ERROR: Incorrect password

    If I give it an incorrect username, again your system politely tells me:

    ERROR: Invalid username.

    So, now I know why my client tells me the system is being constantly being broken into!

    Do you guys developing WordPress NOT KNOW that you should NEVER indicate the exact reason for login failure?? The error should only say something like: "ERROR: Login failed, please check your username and password.

    With the way you have it, a hacker can sit there guessing usernames until your system politely tells them they have a correct username and from there continue until they have the pass.

  2. Backslider
    Posted 6 years ago #

    I see this was brought up on TRAC within the last two months:


    Idiot (no offense) Ryan tells us "This is by design. There is a balance to be made between security and user friendliness."

    This is an idiotic response. Yes, there is a balance, this is known as a "retrieve username/pass link" if really needed on the login page, not a system that gives hackers an easy way to crack into the system.

    "User friendliness" should FIRST be toward people running your system, not people who cannot manage to login correctly.

  3. techooze
    Posted 6 years ago #

    It's really insecure. Becomes easy to a little extent for someone to break in

  4. Vladimir Garagulya
    Posted 6 years ago #

    I'm fully agree with you. It is unsecure. But why not to use some plugin from the 'Login security' field? E.g. http://devel.kostdoktorn.se/limit-login-attempts ?
    It resolves this issue without changing a row of core WordPress code.

Topic Closed

This topic has been closed to new replies.

About this Topic