• How and where do I modify the Login error messages?

    For example if I login with my username and an incorrect password, it tells me:

    ERROR: Incorrect password.

    For security reasons I don’t want it to specify whether it’s the username or password that is incorrect.

    I want it to say instead:
    ERROR: Incorrect username or password.

    Where do i change this text?
    I’ve search just about every file in my installation looking for it.
    I did see a “combo” error message in the wp-login but i don’t see a way to enable it, etc…

    please advise.

    thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    That’s not really a valid “security” improvement, actually. It’s irrelevant whether the attacker knows what he got wrong, as it provides no extra information that would help him to get in. Furthermore, the usernames are exposed in dozens of other places already.

    But the text you need to change is in pluggable.php, in the wp_authenticate() function.

    Thread Starter logtown

    (@logtown)

    ok thanks for the response.
    i think the logic was that if the error returned invalid password, then they would know that the username existed and could continue trying to get the password.

    i will check out the file and function you suggested.

    thank you

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    i think the logic was that if the error returned invalid password, then they would know that the username existed and could continue trying to get the password.

    They can get the usernames in half a dozen other places already, that is not privileged or hidden information.

    I don’t mean to step into this one late (or on anyone’s toes), but I think this it sort of is a valid security issue. Maybe the username is available in a bunch of other places, but the less you let an attacker know about what they did wrong, the harder it is for them to tell what they did right.

    By making the error vague, you might not keep a dictionary attack from succeeding, but it might give the casual attacker reason to give up.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How and where do I modify the Login error messages?’ is closed to new replies.