Tagged: WordPress
- This topic has 2 replies, 2 voices, and was last updated 1 year, 1 month ago by
.
- AuthorPosts
- November 20, 2019 at 5:46 pm #80881Participant@chinomnso
The login page of WordPress by default displays an error message that could be valuable information in the hands of a user with malicious intent.
From a user experience perspective, it is a nice thing to be specific when displaying an error message. Letting users know if it was their username (or email address), password, or even both that was wrong could help them make better attempts when trying to login after a failed attempt.
That, however, comes with a potential security flaw. When you let a user know which of their login credentials was wrong, you are potentially reducing the amount of work an attacker would do to break your site’s authentication system.
Removing the login error message
You could actually take off the entire error message. It’s a pretty simple thing to do, as illustrated by the snippet below:
1234function remove_login_errors( $error ) {return null;}add_filter( 'login_errors', 'remove_login_errors');The problem with this is that it leaves the user clueless, and they may not even know what went wrong. They might even think your site is broken. You may prefer the next option.
Changing the login error message
With a single line of code, you can change the error message. Place the following line of code in your functions.php file:
1add_filter('login_errors', create_function('$a', "return '<strong>Error:</strong> Incorrect login details. Try again';"));Feel free to change the error message to anything you like. Now, try logging in to your WordPress site using wrong credentials, and your login screen should look like the picture below.
Do you have a better way of doing this? Why not share them with us in the replies?
November 20, 2019 at 7:13 pm #80886Keymaster@ehi-kioyaYou should not use
create_function()
. Otherwise, while trying to close one potential security hole (too much information in WordPress login error messages), you may be inadvertently opening another, more dangerous security hole – the internal use ofeval()
inside thecreate_function()
underlying code.Instead, you need to rewrite the code that uses
create_function()
to use an anonymous function (aka closure) in its place. This article provides an example: Fix For “Function create_function() is deprecated” In PHP 7.2So, in your above code, this line:
1add_filter('login_errors', create_function('$a', "return '<strong>Error:</strong> Incorrect login details. Try again';"));Should be replaced with something like this:
1add_filter('login_errors', function($a){ return '<strong>Error:</strong> Incorrect login details. Try again'; });I didn’t test my above code though. But I think it should work. Or at least, it should give any reader a guideline on how to avoid using
create_function()
.There’s more info about
create_function()
here.November 21, 2019 at 3:35 am #80919Keymaster@ehi-kioyaQuick follow up.
Since you’re using the
add_filter()
function, the anonymous function technique I mentioned above may not even be necessary (even though it should totally work).An old-school named function like this should also accomplish the same goal:
1234function remove_login_errors( $error ) {return '<strong>Error:</strong> Incorrect login details. Try again';}add_filter( 'login_errors', 'remove_login_errors' );In any case,
create_function()
should still be avoided.I think using anonymous functions as replacements for
create_function()
became popular because developers wanted a one line replacement for a bad one line piece of code. - AuthorPosts
- You must be logged in to reply to this topic.