Hardening WordPress through Modifying Login Errors

It’s always good to present the least amount of information related to error messages so that bots don’t take advantage of the additional knowledge that those messages present.

One way of hardening WordPress is through modifying the error messages related to the login form.

The typical WordPress login form

We can always adjust the error message strings so that way bots won’t realize what the errors mean, assuming that the bots only are looking for the default error messages and will adjust their behaviors accordingly based on the messages they “read”.

In this post, we will look at leaving enough of the original error message intact so that way users understand what the issue is.

To help us achieve this password protection, we need to hook into the login_errors filter:

login_errors

First off, let’s hook into the filter and make sure to match the parameters correctly: 

add_filter('login_errors', 'ian_sackofwits_modify_login_errors');

function ian_sackofwits_modify_login_errors($errors)
{
    //TODO
}

Next, we’ll make an array with the error message strings:

$error_messages = array(
		"Unknown username. Check again or try your email address.",
		"Unknown email address. Check again or try your username.",
	);

Next, we use the array_map function with the trim and strip_tags functions to make sure the strings are in a standard format for later comparison purposes:

$error_messages = array_map(
		function($str){
    		return trim(strip_tags($str));
		}, $error_messages);

Now, we check to see if the error message corresponds to one of the error messages related to an incorrect email address or username and we adjust the error message accordingly:

if (in_array(trim(strip_tags($errors)),$error_messages))
	{
		if (preg_match("/Unknown username/i", $errors))
		{
			return "Unknown user";
		}
		else if (preg_match("/Unknown email address/i", $errors))
		{
			return "Unknown email";
		}
	}

And then finally, we return the errors string in case the error message does not correspond to an incorrect email address or username:

return $errors;

Here’s the full complete code for our login form hardening exercise:

add_filter('login_errors', 'ian_sackofwits_modify_login_errors');

function ian_sackofwits_modify_login_errors($errors)
{
	$error_messages = array(
		"Unknown username. Check again or try your email address.",
		"Unknown email address. Check again or try your username.",
	);
	
	$error_messages = array_map(
		function($str){
    		return trim(strip_tags($str));
		}, $error_messages);
		
	if (in_array(trim(strip_tags($errors)),$error_messages))
	{
		if (preg_match("/Unknown username/i", $errors))
		{
			return "Unknown user";
		}
		else if (preg_match("/Unknown email address/i", $errors))
		{
			return "Unknown email";
		}
	}
	
	return $errors;
}

As always, add this code to your theme’s functions.php file or use a plugin such as Code Snippets.

Leave a comment

Your email address will not be published. Required fields are marked *