Why does WordPress identify valid logins by default?
-
When logging in via /wp-login.php , I notice wordpress by default will identify a valid username by returning a different error (Incorrect Password) when a valid username is entered.
(wordpress will return ‘invalid username’ if an invalid username is entered).Surely this just aids a bruteforce attack?
You can fix this in /wp-includes/pluggable.php
By modifying
function wp_authenticate($username, $password) { $username = sanitize_user($username); if ( '' == $username ) return new WP_Error('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); if ( '' == $password ) return new WP_Error('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); $user = get_userdatabylogin($username); if ( !$user || ($user->user_login != $username) ) { do_action( 'wp_login_failed', $username ); return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username or password.')); } $user = apply_filters('wp_authenticate_user', $user, $password); if ( is_wp_error($user) ) { do_action( 'wp_login_failed', $username ); return $user; } if ( !wp_check_password($password, $user->user_pass, $user->ID) ) { do_action( 'wp_login_failed', $username ); return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Invalid username or password.')); } return new WP_User($user->ID); } endif;Of course, that change may be overwritten during a version upgrade.
-
You are in the wrong forum. This forum is for blogs hosted at wordpress.COM and we do not have access to php files here. https://en.forums.wordpress.com/topic/please-read-me-first-before-posting?replies=1 Head over to http://wordpress.ORG/support
- The topic ‘Why does WordPress identify valid logins by default?’ is closed to new replies.
WordPress.com Forums 