• Skip to main content
  • Skip to primary sidebar

Technical Notes Of
Ehi Kioya

Technical Notes Of Ehi Kioya

  • Forums
  • About
  • Contact
MENUMENU
  • Blog Home
  • AWS, Azure, Cloud
  • Backend (Server-Side)
  • Frontend (Client-Side)
  • SharePoint
  • Tools & Resources
    • CM/IN Ruler
    • URL Decoder
    • Text Hasher
    • Word Count
    • IP Lookup
  • Linux & Servers
  • Zero Code Tech
  • WordPress
  • Musings
  • More
    Categories
    • Cloud
    • Server-Side
    • Front-End
    • SharePoint
    • Tools
    • Linux
    • Zero Code
    • WordPress
    • Musings

How To Change Or Remove The WordPress Login Error Message

Tagged: WordPress

  • This topic has 2 replies, 2 voices, and was last updated 1 year, 1 month ago by .
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • November 20, 2019 at 5:46 pm #80881
    Participant
    @chinomnso

    The login page of WordPress by default displays an error message that could be valuable information in the hands of a user with malicious intent.

    From a user experience perspective, it is a nice thing to be specific when displaying an error message. Letting users know if it was their username (or email address), password, or even both that was wrong could help them make better attempts when trying to login after a failed attempt.

    WordPress Login Error Message

    That, however, comes with a potential security flaw. When you let a user know which of their login credentials was wrong, you are potentially reducing the amount of work an attacker would do to break your site’s authentication system.

    Removing the login error message

    You could actually take off the entire error message. It’s a pretty simple thing to do, as illustrated by the snippet below:

    1
    2
    3
    4
    function remove_login_errors( $error ) {
        return null;
    }
    add_filter( 'login_errors', 'remove_login_errors');

    The problem with this is that it leaves the user clueless, and they may not even know what went wrong. They might even think your site is broken. You may prefer the next option.

    Changing the login error message

    With a single line of code, you can change the error message. Place the following line of code in your functions.php file:

    1
    add_filter('login_errors', create_function('$a', "return '<strong>Error:</strong> Incorrect login details. Try again';"));

    Feel free to change the error message to anything you like.  Now, try logging in to your WordPress site using wrong credentials, and your login screen should look like the picture below.

    How To Change Or Remove The WordPress Login Error Message

    Do you have a better way of doing this? Why not share them with us in the replies?

    November 20, 2019 at 7:13 pm #80886
    Keymaster
    @ehi-kioya

    You should not use create_function(). Otherwise, while trying to close one potential security hole (too much information in WordPress login error messages), you may be inadvertently opening another, more dangerous security hole – the internal use of eval() inside the create_function() underlying code.

    Instead, you need to rewrite the code that uses create_function() to use an anonymous function (aka closure) in its place. This article provides an example: Fix For “Function create_function() is deprecated” In PHP 7.2

    So, in your above code, this line:

    1
    add_filter('login_errors', create_function('$a', "return '<strong>Error:</strong> Incorrect login details. Try again';"));

    Should be replaced with something like this:

    1
    add_filter('login_errors', function($a){ return '<strong>Error:</strong> Incorrect login details. Try again'; });

    I didn’t test my above code though. But I think it should work. Or at least, it should give any reader a guideline on how to avoid using create_function().

    There’s more info about create_function() here.

    November 21, 2019 at 3:35 am #80919
    Keymaster
    @ehi-kioya

    Quick follow up.

    Since you’re using the add_filter() function, the anonymous function technique I mentioned above may not even be necessary (even though it should totally work).

    An old-school named function like this should also accomplish the same goal:

    1
    2
    3
    4
    function remove_login_errors( $error ) {
        return '<strong>Error:</strong> Incorrect login details. Try again';
    }
    add_filter( 'login_errors', 'remove_login_errors' );

    In any case, create_function() should still be avoided.

    I think using anonymous functions as replacements for create_function() became popular because developers wanted a one line replacement for a bad one line piece of code.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Log In

Primary Sidebar

FORUM   MEMBERSHIP

Log In
Register Lost Password

POPULAR   FORUM   TOPICS

  • How to find the title of a song without knowing the lyrics
  • Welcome Message
  • How To Change Or Remove The WordPress Login Error Message
  • The Art of Exploratory Data Analysis (Part 1)
  • Getting Started with SQL: A Beginners Guide to Databases
  • Replacing The Default SQLite Database With PostgreSQL In Django
  • Understanding Routes In Laravel
  • Forums
  • About
  • Contact

© 2021   ·   Ehi Kioya   ·   All Rights Reserved
Privacy Policy