Security risk?

  • Resolved Steven

    (@spstieng)


    15 years, 1 month ago

    A former colleague which is pretty up to date on security issues, told me that I should change the error message when a user tries to log in and the user types the wrong password.

    Today the default error message is: ERROR: Incorrect password.

    The problem with this, is that you are confirming correct username, thus making it a lot easier for brute-force generators to guess the password.

    Much better error message would be ERROR: Wrong username or password.

    But where in WP can I change this?
    And how can I maintain the change when I update WP later on?

Viewing 1 replies (of 1 total)
  • Thread Starter Steven

    (@spstieng)

    Ah…. after a bit more Googling I found this solution: https://www.wprecipes.com/wordpress-security-hide-login-error-messages

    // Remove default error message and replace with custom error message
  add_filter('login_errors', 'login_error_mess');

  function login_error_mess() {
    return '<span class="error"><strong>ERROR: </strong>Invalid username or password.</span>';
  }

    Adding this to my custom plugin, WP updates will never overwrite this.

Viewing 1 replies (of 1 total)
  • The topic ‘Security risk?’ is closed to new replies.