Incorrect Login/Too Many Attempts

  • I’ve noticed a lot of websites let you change your password if you attempt it three or more times with the wrong username(or email) and password combination. I’d like WordPress to do that natively.

    Would that create a vulnerability to bot attacks by creating another field for them to fill?

    Also, I noticed that now the password creation and reset field doesn’t require a password confirmation (entering the password twice).

    I do like the Hide/Unhide feature and it now appears to be employed industry-wide everywhere (especially in smartphone apps and tablet sites where you click the little icon in the field).

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    That would be a *huge* vulnerability, akin to an open door.

    Picture this, I go to your site and attempt to log in as you. I get it wrong 3 times of course, because I don’t know your password, so your site offers me to change it. So, I change it, and log in as you. ??

    Would you please let me know what sites you have see that offer that?

    Thread Starter jason_hayes

    (@jason_hayes)

    Well it’s slightly different than that.

    If you get it wrong 3 times you go to the password reset “Request” page where you enter your email or username and you’re sent a link to reset your password. You still have to get the email and click the link to reset the password.

    It was Credit Karma.

    Thread Starter jason_hayes

    (@jason_hayes)

    So it does still uses the lost password routine.

    Moderator James Huff

    (@macmanx)

    Oh, WordPress already has that. It’s not automated or triggered after a certain interval, but you should see a “Lost your password?” link below the login form.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Incorrect Login/Too Many Attempts’ is closed to new replies.