id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
10006	Lost Password Requests - Hardening WordPress	neoxx	ryan	"hi,

just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...

greetz,
berny"	enhancement	closed	low		Security	2.8	minor	wontfix