How to Change the WordPress Login Error Message

Posted on

There are many steps you can take to harden your WordPress installation and make it a more difficult target for hackers. We previously talked about changing the URL of the WordPress login page, removing the version numbers from all posts and pages as well as RSS feeds, implementing login restrictions etc. Much of this revolves around taking away information from hackers that they can exploit. Sometimes it’s a trade-off between security and usability – a helpful error message to visitors can translate into an entry point for hackers.

Let’s take the WordPress login page for example. When you accidentally enter a wrong username, WordPress reloads the page with a error message telling you that you got the username wrong as shown here:

invalid username

This is clearly beneficial to a genuine user of your site, but it also provides valuable information to a hacker trying to break into it. It tells them that they got the username wrong and that they need to try another one. Without this information, they might not know which field generated the error – username or password? In fact if you get the password wrong on a WordPress login page, it displays another even more helpful error message to everyone:

wrong password

This one tells hackers that while they got the password wrong, the username is correct! That reduces their work by half making it exponentially easier for them to test various commonly used passwords. It means that they’re just one lucky guess away from accessing your site. If you’re serious about WordPress security and hardening your installation, you need to limit these attack vectors. That means getting rid of potentially dangerous information even when it might result in a very slight loss in user-friendliness.

Removing Login Error Messages Entirely

The most obvious solution is to simply delete all login error messages. When the page reloads, the user will anyway know that they got something wrong. Luckily for us, WordPress provides a convenient filter that allows us to manipulate the login error message according to our needs. This filter is called “login_errors” and we can use the code shown below in our functions.php file or any other location where we place custom PHP code.

function remove_all_login_errors( $error ) {
    return null;
add_filter( 'login_errors', 'remove_all_login_errors');

In this simple code snippet, we create a new function of our own attached to the login_errors filter and return a null value. After you’ve saved your functions.php file, try logging in with a wrong username or password and you should get the following screen this time.

login errors vanished

As you can see, all compromising information has been removed. A hacker won’t know which of the fields they got wrong and so will have to try permutations and combinations for two separate pieces of information instead of just one.

However, I personally feel that the above screen is a bit too unfriendly. Instead of removing the message entirely, we can simply return a common sense Error Message like “Incorrect login information”. All we need to do is replace the “null” return value with the error message as a string.

function remove_all_login_errors( $error ) {
    return "Incorrect login information";
add_filter( 'login_errors', 'remove_all_login_errors');

As you can see in the screenshot below, we now have a general purpose error message which at the same time provides no opening for hackers to exploit.

more friendly info

By itself, this change might not make a huge difference to your site security. But hardening your WordPress installation consists of a series of tiny steps, each of which contributes to the whole.

Leave a Reply

Your email address will not be published. Required fields are marked *