issue with username enumeration
-
hi. i use this fine tool the harden my wordpress and f.ex. disable username enumeration. if i try to log in with wrong user credentials, then i don’t get a reply like: “username does not exist”, or “wrong password” (which in return can spill the username) but a generic error: “ERROR: Invalid login credentials.” now when i go to my “/account/lost-password/” page and i type in a wrong username / email, this does not work. i get a “Invalid username or email.” response and this comes from woocommerce directly. at least i found that string inside the wc plugin folder. if it was up to me, i’d rather have a response like “if this account exists, we send out a reset link” (or similar) and not the hint about the username/email. it would be awesome, if you could work together with the folks of aios to solve this issue?!
as far as i can see it, they filter the error messages, so all wc needs to do, is pass the errors to the right standard wordpress filter..
-
Hello jnz31
Thank you for contacting WooCommerce support.
Are you referring to this message that appears on the Password Reset page?
https://snipboard.io/adJnKl.jpg I appreciate your valuable feedback.
It would be great if you could submit this feature at our Feature Request Portal. Once submitted it will go through the process and may get voted for priority.Feel to cotnact us again if you have more suggestions or questions. ??
Best regards.
- The topic ‘issue with username enumeration’ is closed to new replies.
