Lost Password Requests - Hardening WordPress
|Reported by:||neoxx||Owned by:||ryan|
just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.
fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.
to summarize, it would be helpful to have a filter for these messages...
Change History (11)
- Keywords reporter-feedback added
- Milestone changed from Unassigned to Future Release
- Priority changed from normal to low
- Severity changed from normal to minor