Lost Password Requests - Hardening WordPress

[neoxx]

hi,

just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...

greetz,
berny

You can override the login screen in its entirety in WP 2.8.

My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.

As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.

on wishlist30 for ​neoxx

Realted: #2870

Related, #12682.

In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...

@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out ​http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/

@coffee2code: Thanks for the tip, I wasn't aware of that filter.

Closing the ticket in favor of #12682.