WordPress gives you hints on the login page to let you know whether you entered a wrong password or a wrong username. Although this can be helpful to your users, it can also allow attackers to guess usernames that are in use.
Method 1: Disable Login Error Message
If you want to disable the login error messages altogether, there’s an easy way to do it.
All you have to do is place this code snippet in your theme’s functions.php file:
// Disable error messages on the login screen
function wpturbo_custom_login_error_message(){
return '';
}
add_filter( 'login_errors', 'wpturbo_custom_login_error_message' );
The above code adds a filter function to the ‘login_errors’ filter. This function then returns an empty string when the login_errors filter is called. This filter is called before WordPress displays the current error message. It lets you customize the error message that will be displayed.
You can also place this code in a custom plugin. Use our plugin header generator to download a starter plugin file and paste the above code into it.
Method 2: Change The Login Error Message
If you don’t want to disable the login error message completely, you can change it to something ambiguous that doesn’t hint what exactly is wrong.
Use this snippet to display a custom error message to your users when they enter incorrect credentials:
// Display a custom error message on the login screen
function wpturbo_custom_login_error_message(){
$msg = 'The username or password you entered is incorrect!';
return $msg;
}
add_filter( 'login_errors', 'wpturbo_custom_login_error_message' );
You can change the error message to whatever you want in the above code snippet. Change the value of the $msg variable to whatever you want the error message to be.
Conclusion
If you don’t disable the errors that WordPress displays on your login page, it will allow attackers to sniff usernames that are being used on the website. They can then use this information to brute-force crack the passwords.
Leave a Reply