Usernames revealed via lost-password page

  • Resolved fortunebay

    (@fortunebay)


    4 years, 1 month ago

    I just started using WordFence and overall I’d say it’s great, but the feature titled “Don’t let WordPress reveal valid users in login errors” seems incomplete. It attempts to prevent probing for valid/invalid usernames via the regular login page (mysite.com/wp-login.php) and it does that by making the error message ambiguous as to whether the user exists or not. But if one goes to the lost-password page (mysite.com/wp-login.php?action=lostpassword) the error message still reveals whether the username is valid or not. It seems that this feature is useless unless it blocks username discovery in both places. Is this just an outright bug or is there another setting I’m missing?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @fortunebay and thanks for reaching out to us!

    I set this same scenario up on my test site and found that the information you provided is true. Thanks for pointing that out!

    I will show these results to our team. Possibly this will change in a future release.

    Thanks again for your feedback!

    Hello @wfadam,

    any progress on this topic as I would be very interested to see this being fixed.

    Kind regards.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Usernames revealed via lost-password page’ is closed to new replies.