Wordpress: Make Your WordPress A Little Bit More Secure

When you login into your WordPress Admin using wrong username, your WordPress will prompt you an error message: Invalid username.

When you login into your WordPress Admin using wrong password, your WordPress will prompt you an error message: Incorrect password.

You may not notice the two error messages above actually give the intruder some hints about your login information.

When an intruder get an Invalid username message from your WordPress, he or she will know that the username DOES NOT exist in your WordPress database. He or she then can retry login to your WordPress using other username.

When an intruder get an Incorret password message from your WordPress, he or she will know that the username DOES exist in your WordPress database. He or she then can concentrate on using different password to login into your WordPress.

Change the login’s error message

To make your WordPress a little bit more secure, simply change the Invalid username and Incorrect password message to a simlar message that tell nothing about username or password, for instance, Invalid username or password or Login failed and any attempt to login will be recorded.

To change the error message, find the two error message in the \wp-includes\pluggable.php at about line 451 and 462. Replace the two error messages with the same error message so that the intruder does not know what’s wrong with his login attempts.

[Updates – Thanks David Sullivan for the suggestions]

Change the username field’s value

As suggested by David Sullivan, the username field should be cleared for the case user has submitted either an invalid username or password.

At about line 469, change the following codes:


<input type="text" name="log" id="user_login" class="input" value="<?php echo $user_login; ?>" size="20" tabindex="10" /></label>

to:


<input type="text" name="log" id="user_login" class="input" value="" size="20" tabindex="10" /></label>

Change the field focusing on error

As suggested by David Sullivan, the username field should be focused for the case user has submitted either an invalid username or password.

At about line 500, change the following codes:


<?php if ( $user_login ) { ?>
setTimeout( function(){ try{
d = document.getElementById('user_pass');
d.value = '';
d.focus();
} catch(e){}
}, 200);
<?php } else { ?>
try{document.getElementById('user_login').focus();}catch(e){}
<?php } ?>

to:


try{document.getElementById('user_login').focus();}catch(e){}

Change the page redirection on password retrieval

As suggested by David Sullivan, WordPress should always redirect user to the email confirmation page (the successful page) to avoid showing error message which contains information about the submitted username/email.

At about line 288, change the following codes:


case 'retrievepassword' :
    if ( $http_post ) {
        $errors = retrieve_password();
        if ( !is_wp_error($errors) ) {
            wp_redirect('wp-login.php?checkemail=confirm');
            exit();
        }
    }

to:


case 'retrievepassword' :
    if ( $http_post ) {
        $errors = retrieve_password();
        //if ( !is_wp_error($errors) ) {
            wp_redirect('wp-login.php?checkemail=confirm');
            exit();
        //}
    }

Hopefully this changes will be reflected in the future release of WordPress to make it a more secure blogging platform.

Comments

David Sullivan says

May 16, 2009 at 1:33 am

Good post and much needed. However, WordPress still gives it away if you don’t also edit the /wp-login.php file.

For example, if the UserName is wrong, by default WP will focus the cursor to the user_login field and blank it out. But if the Password is the incorrect value and the UserName is correct, WP will fill in the user_login field correct UserName and focus the cursor to the user_pass field.

The workaround in the wp-login.php file is two-fold:
1) Locate the login form with id=”loginform” and under that locate the field with id=”user_login” and remove the php text from the value parameter so that it says value=”” (about line 469)

2) Next go to the bottom of the page just above the tag and edit the JavaScript so that between the tags it just says:
try{document.getElementById(‘user_login’).focus();}catch(e){}

That should do it!
szehau says

May 16, 2009 at 2:37 am

Hi David Sullivan,

Thanks for heading up that issue. I didn’t notice that WP will focus the field that generate the login error and keep the user name in the field if the user name is correct.

Hopefully the changes will be implemented in the future release of WordPress.
David Sullivan says

May 17, 2009 at 12:37 am

Also, the “Lost Your Password” function gives away valid/invalid UserName. To fix in /wp-login.php, add the “//” comment tags in the two lines of the code below:
case ‘retrievepassword’ :
if ( $http_post ) {
$errors = retrieve_password();
// if ( !is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=confirm’);
exit();
// }
}
szehau says

May 17, 2009 at 12:53 am

You are quite right about that. I always design my system to show a successful request for the lost password retrieval although user keyed in an invalid user id.

Snippet IT

Search

Recent

More from my site

About Sze Hau

Comments

Trackbacks

Leave a Reply Cancel reply

Snippet IT

Search

Recent

Tags