Login Hints WordPress

Hiding Login Hints in WordPress Login Error Messages is Not Easy

WordPress needs to do more on security! Yes, that’s right. WordPress login page provides a handful of information that can be really helpful for hackers. You can call it login hints.

What are login hints?

On the WordPress login page, if you type the wrong username or password, WordPress will tell you what you did wrong.

If you type the wrong username or email address, WordPress will tell you:

The username is not registered on this site. If you are unsure of your username, try your email address instead.

Username not registered

It lets hackers know that they are typing the wrong username.

If you type the right username, but the wrong password, WordPress will tell you:

The password you entered for the username is incorrect. Lost your password?

Password incorrect

Now, the hacker will know for sure that he got the username right. Half of the work is done! The only duty left is to figure out what the password is.

I wanted to disable these login hints in WordPress login error messages. So I added following on my functions.php file:

function no_wordpress_errors(){
  $message = 'Your username or password is incorrect. <a href="'.esc_url(wp_lostpassword_url()).'">Lost your password?</a>';
  return $message;
}
add_filter( 'login_errors', 'no_wordpress_errors' );

Now it says: “Your username or password is incorrect. Lost your password?

Solutions to login error message

Now, you may relax and say, “Well done! I’ve solved a big problem.”

Not really!

The problem still remains. Let me describe.

  1. If you enter the wrong username now, the error message won’t indicate it. But your cursor will do. What you entered in the username field, will be gone and your cursor will be blinking on the username field. That’s how your cursor will indicate that the username is incorrect.
  2. If you enter the right username, but the wrong password, the cursor will be blinking on the password field. And what you entered in the username field won’t be gone; it’ll stay there. That’s how you’ll know that you have got the username right.

This problem can be solved by using JavaScript. As I don’t know JavaScript well, I can’t give you a solution here. If you are an expert in JavaScript, solve this and let me know. Use the email address from our Contact page.

Thanks in advance.

Spread the love

A teacher by profession, a traveler by passion and a netizen by choice.

Morshed Alam

You use WordPress! Why don't we share our experience! It may be a tutorial, tips, tricks or about security, performance or WordPress news. Write Today

Leave a Comment

Your email address will not be published. Required fields are marked *