__group__ ticket summary owner _component _version priority severity milestone type _status workflow _created modified _description _reporter Candidates for Closure 50637 Forgot password reset link become text after sending email. Login and Registration 5.4.2 normal minor Awaiting Review defect (bug) new reporter-feedback 2020-07-12T16:28:18Z 2023-08-21T11:49:04Z "Forgot password reset link become text after sending email. https://i.ibb.co/Db13D7M/WP-Reset-email.png Like upper image it convert url link into

tag. " tfarzan007 Candidates for Closure 50672 Login Mask jerks when I define Privacy Policy page in Chrome Browser Login and Registration 5.4.2 normal normal Awaiting Review defect (bug) new reporter-feedback 2020-07-15T19:50:30Z 2023-08-21T11:55:44Z "Login Mask jerks when define Privacy Policy page. The problem occurs only in Chrome Browser and /wp-login.php [https://dl.dropbox.com/s/8a7gqtakajn7ey6/Login%20jerks.gif] " Frank Noack Candidates for Closure 34372 Password reset link invalid for user names containing blanks Login and Registration 4.3.1 normal normal Awaiting Review defect (bug) new reporter-feedback 2015-10-20T18:35:44Z 2021-01-12T21:56:43Z When a user name contains a blank, resetting the corresponding password. The URL in the reset email will contain a blank, at which point the link will be interrupted. ditler Candidates for Closure 45816 Reset password is not working Login and Registration 5.0.1 normal normal Awaiting Review defect (bug) new reporter-feedback 2019-01-03T14:58:29Z 2019-01-07T10:18:55Z "Hello When I update wordpress version-5.0.1, I have not getting reset link on mail. I am using ""Pie Register – Custom Registration Form and User Login WordPress Plugin"" this plugin for login-registration." poojabeeline Candidates for Closure 37857 Strange behaviour for COOKIE_DOMAIN since Wordpress 4.6 Login and Registration 4.6 normal normal Awaiting Review defect (bug) new reporter-feedback 2016-08-28T11:53:15Z 2023-10-05T01:04:22Z "I hope I am right here, because since the last update for WordPress 4.6 there is a very strange behaviour with the by hand sedate constant COOKIE_DOMAIN. I have adapted COOKIE_DOMAIN in wp-config.php to be able to use the same login data about multible domains away. Since the update for WordPress 4.6 this causes problems with the browser cache for all dynamic data transfers, like forms etc. Not only in WordPress, but also in form-plugins or WooCommerce. With the example WooCommerce: data for the goods basket are updated always only after a renewed page-reload. That means, if you go to basket, no changes are active. You need to reload the basket to see the changes in action. The same behavior with changes in forms for addresses etc. Absolutely no caching module is active. If browser caching is disabled, everything works fine. These are the changes I've made for the COOKIE_DOMAIN in wp-config.php: {{{#!php add( 'username_space', __( 'Username cannot contain spaces.', 'text-domain' ) ); } return $errors; } add_filter( 'registration_errors', 'prefix_check_username_for_spaces', 10, 3 ); }}} " wparslan Candidates for Closure 52964 Video On Login Page Login and Registration normal normal Awaiting Review enhancement new reporter-feedback 2021-04-03T12:12:29Z 2023-08-16T16:43:16Z "So I was wondering about how can I add a video as a background of the login form by editing the login form's code. Turns out we cannot as there is no vector to do so. Can we add a hook to do so..?" wparslan Tickets Needing Feedback 38079 Add hooks before output for each action in wp-login.php voldemortensen Login and Registration 4.7 normal normal Future Release enhancement assigned reporter-feedback 2016-09-17T19:13:19Z 2017-10-03T05:59:58Z "7 years ago, in #9682, `wp-login.php` was made more pluggable. The thing is, if you just want to change the look (as my plugin ""Theme My Login"" does), you also have to replicate the logic. Having an action that fires just before the `login_header()` call in each case of the action handler switch should be sufficient. One such hook is already present for one action: `lost_password`. However, the hook `register` is already in use for the register link as is the format `{$action}_form`. So, I propose using `pre_{$action}_form`. Patch incoming." jfarthing84 Tickets Needing Feedback 35428 Allow the suppression of errors if user already exists Login and Registration normal normal enhancement new reporter-feedback 2016-01-12T21:19:14Z 2019-06-04T20:21:01Z "The install instructions for s2members requires that we add a filter to suppress errors it seems to be we should add the filter to allow this. " pbearne Tickets Awaiting Review 38432 Validate user creation and email change by token Login and Registration 4.9 normal normal Awaiting Review feature request new needs-unit-tests 2016-10-21T13:34:31Z 2018-01-17T11:57:10Z "When you register on a wordpress site or when you change your email, we can use a fake email (or error entry) and it create ghost profile. I see 36 bad profile in 2 month on a website. If an email is send with a validate links (token), the profile or the email change can be executed. It secure correct data. Thanks " lriaudel Candidates for Closure 38750 Split wp_signups into wp_user_signups and wp_blog_signups Login and Registration 3.0 normal normal Awaiting Review feature request new needs-unit-tests 2016-11-10T19:07:00Z 2019-05-26T19:10:11Z "Right now, `wp_signups` (and the entire related API) does double-duty. It's 1 database table that's used for both users & blogs, but there are a few issues with this approach: * Open sign-ups may or may not include ability to create sites * There is no UI for managing sign-ups in WordPress core * Sign-ups are different between singlesite & multi-site * Plugins like BuddyPress do their best to include and/or work-around WordPress's core functionality, but end up writing a ton of additional code to manage this * Other membership plugins are forced to roll their own approach every single time * It's possible for multisite sign-up race conditions to exist, with users & sites created or activated from underneath each other (documented in `wpmu_activate_signup()`) I'm adding the multisite focus to this issue, because all of the current code is only relevant to multisite, but I'd like to see single-site inherit whatever future approach we can come up with. The core sign-ups code, stinks. Yet open registration is part of what makes WordPress & community/membership sites great. I think it would be great to take what we've learned from BuddyPress, WordPress.org, WordPress.com, and the bevy of Membership plugins, and make a great sign-up component/API for WordPress core." johnjamesjacoby Tickets with Patches 17904 Multisite has more restrictions on user login character set Login and Registration 3.0 normal normal Future Release defect (bug) assigned needs-unit-tests 2011-06-27T11:09:12Z 2024-02-27T07:08:40Z "Multisite has more restrictions on the characters allowed in a user's login name compared to single site. This seems unnecessary and confusing. It was also the root of a recent bug in the importer, see [http://wordpress.org/support/topic/invalid-author-importing-single-wordpress-to-mulitsite-wordpress?replies=21#post-2186667 this forum thread] and the [http://plugins.trac.wordpress.org/changeset/401649 workaround]. I haven't worked up a patch yet since there seem to be a few locations where these restrictions are enforced and I don't know if I have found them all yet: - wpmu_validate_user_signup() uses the regex `/[a-z0-9]+/` - ms-default-filters.php adds `strtolower` to `sanitize_user` Relevant: http://mu.trac.wordpress.org/changeset/1689 [12948]" duck_ Tickets with Patches 53348 No form to log in when visiting wp-login.php with a given query string SergeyBiryukov Login and Registration normal normal Future Release defect (bug) reviewing needs-unit-tests 2021-06-07T12:46:39Z 2022-04-08T06:05:11Z "When I visit the wp-login.php page with specific query strings, I get a blank page. I don't get a form to log in. The query strings that cause the blank page are - wp-login.php?action=checkemail - wp-login.php?checkemail=foo - wp-login.php?checkemail=bar - wp-login.php?checkemail=baz - Note though, wp-login.php?checkemail=confirm does give me a form" henry.wright Unpatched Enhancements 51173 Add support for /.well-known/change-password Login and Registration normal normal Future Release feature request new needs-unit-tests 2020-08-28T10:48:40Z 2022-10-05T20:23:30Z "[Chrome Feature](https://www.chromestatus.com/feature/6256768407568384) [Editors Draft](https://wicg.github.io/change-password-url/) This already landed in Safari Would it be possible to add support for **/.well-known/change-password** into WordPress? This might redirect to **wp_login_url()** " romainmrhenry Tickets Awaiting Review 34507 New action `before_login_form` Login and Registration normal normal Awaiting Review enhancement new needs-docs 2015-10-30T07:33:57Z 2017-01-10T12:21:39Z "I can add new fields before default fields form. For example I can add social login : https://food52.com/users/sign_in?next_url=%2F" sebastian.pisula Candidates for Closure 55260 Update Codex Page to Include Password Visibility Button and Language Switcher Login and Registration 5.9.1 normal normal Awaiting Review enhancement new needs-docs 2022-02-25T16:43:24Z 2022-02-25T16:43:24Z "The Codex page, [https://codex.wordpress.org/Customizing_the_Login_Form /Customizing the Login Form], needs to be updated to include the [https://ibb.co/1dZ23W1 /login form password visibility button and the language switcher]. To assist, the following can be added to the updated page for the benefit of all WordPress users: **Code to Disable the Password Visibility Button:** {{{ function remove_wp_hide_pw_button() { ?> see signup-activate-1.patch If running `wp()` is required for a reason i don't see, a query could still be saved and it could be interested to use this to set a ""page"" title for the `` tag. > see signup-activate-2.patch " imath Slated for Next Release 58901 Flush 'user_activation_key' after successfully login rajinsharwar Login and Registration normal normal 6.6 enhancement assigned has-patch 2023-07-25T08:38:46Z 2024-02-12T09:18:32Z "Hi all, Let's imagine the next steps: 1. User goes to `{site_url}/wp-login.php?action=lostpassword` for getting reset password link to its email. 2. Then go to email and open the reset password link with an expiration time (`DAY_IN_SECONDS` by default). It has been resolved [https://core.trac.wordpress.org/ticket/32429 a long time ago]. But then he remembers his old password and login using a second web browser with its username and old password. At the same time, the link to reset the password remains active in the first browser for a whole day. 3. If it's a public laptop anybody can use the reset password link and login with new credentials and make some hacker things. **Suggestions:** Flush the 'user_activation_key' after successful login: wp-includes/user.php::line 113 before {{{ do_action( 'wp_login', $user->user_login, $user ); }}} Can be added this line: {{{ global $wpdb; $wpdb->update( $wpdb->users, array( 'user_activation_key' => '', ), array( 'ID' => $user->ID ) ); }}} Best Regards!" nsinelnikov Slated for Next Release 60668 Missing translation in login_header() first parameter audrasjb* Login and Registration 2.1 normal minor 6.6 enhancement accepted has-patch 2024-03-01T10:22:14Z 2024-03-02T09:19:02Z "Hey there Actuel code from WP (wp-login.php): {{{#!php <?php function login_header( $title = 'Log In', $message = '', $wp_error = null ) { }}} The `$title` here will be print as is, in any language. WordPress uses it the right way by always passing a translatable string as first param, but since there is a default value, some plugins can use it without it ''(and they do it, i've check wpdirectory, more than 1M install, 7 plugins are doing it)''. So we cannot remove the default value or we will break the world in half, we have to choose between this: {{{#!php <?php function login_header( $title = 'Log In', $message = '', $wp_error = null ) { if ( 'Log In' === $title ) { $title = __( 'Log In' ); } }}} or {{{#!php <?php function login_header( $title = null, $message = '', $wp_error = null ) { if ( is_null( $title ) ) { $title = __( 'Log In' ); } }}} We can also use a ternary test to do it, as you want, the point is, **what is the default value now?** In both cases and same as now you can still pass `""""` to print nothing and it's OK. By using null as default and passing `""Log In""` as param you will print a non translated string `""Log In""` ''(in any language)''. By using `""Log In""` as default and passing `""Log In""` as param you will print a correctly translated string `""Se connecter""` ''(here in french)''. Thanks" juliobox Tickets Awaiting Review 54685 Admin email verification redirects back to login page Login and Registration 5.8.1 normal normal Awaiting Review defect (bug) new has-patch 2021-12-23T00:53:15Z 2024-03-12T19:38:31Z "Hi everyone, Recently, our admins started to getting `Administration email confirmation` on logon. However, after clicking on `This email is correct` admins are redirected back to login page and asked to login again. We've tried many times and it's an infinite loop of logging in, confirming email address, redirecting back to login page, logging in, confirming email addres, redirecting to login page and so on. We use login URL configured on the /wp-admin/options-general.php?page=move-login page and it seems like WP doesn't properly handle admin email confirmation when login URL is set. I had a look at the codebase and I believe this `?action=confirm_admin_email` string parameter gets lost when webserver redirects `wp-login.php` to configured login page: https://github.com/WordPress/WordPress/blob/b788e6255a97dbdd1dc55d42f8fbeeb66c806214/wp-login.php#L623 I added one more hidden input same way as `redirect_to` is implemented https://github.com/WordPress/WordPress/blob/b788e6255a97dbdd1dc55d42f8fbeeb66c806214/wp-login.php#L635 and this fixed the issue. I'm happy to attach a patch file. Kind regards, Mikhail Golenkov" golenkovm Tickets Awaiting Review 57032 Percent sign in site title leads to signing up new users not working Login and Registration 6.0.3 normal normal Awaiting Review defect (bug) new has-patch 2022-11-08T12:03:35Z 2023-08-15T12:39:15Z "When a web site title contains a percent sign, e.g. {{{ Brand name - 100% organic }}} the process of signing up a new user in `/wp-admin/user-new.php` will fail with a fatal error, probably because the percent sign is interpreted as a placeholder by `sprintf()` in /wp-includes/ms-functions.php around line 1105: {{{ Fatal error: Uncaught ArgumentCountError: 3 arguments are required, 2 given in (...)/sites/wheaty_v3/htdocs/wp-includes/ms-functions.php:1105Stack trace: #© (...)/htdocs/wp-includes/ms-functions.php(1105): sprintf(' Hallo, Indu wurde.. , 'https://www.whe...#1 (...)/htdocs/wp-includes/class-wp-hook.php(307): wpmu_signup_user_notification('(...)','(...).. '36db891bc11cbbc.. , Array) #2 (...)/htdocs/wp-includes/class-wp-hook.php(331): WP_Hook->apply_filters("",Array)#3(...)/htdocs/wp- includes/plugin.php(476):WP_Hook->do_action(Array)#4 /(...)/htdocs/wp-includes/ms-functions.php(892): do action('after_signup_us..., '(...)', '(...) '36db891bc11cbbc..., Array) #5 (...)/wheaty_v3/htdocs/wp-admin/user-new.php(226): wpmu_signup_user('oliver2', 'technik@hansetr.. , Array) #6 {main} thrown in /(...)/htdocs/wp-includes/ms-functions.php on line 1105 }}} Presumably, the web site title needs to be escaped somewhere in the `apply_filters()` call. " pekka.gaiser Tickets Awaiting Review 46033 Please fix redirect in wp-login.php Login and Registration 5.0.3 normal normal Awaiting Review defect (bug) new has-patch 2019-01-18T10:45:43Z 2019-01-19T22:32:26Z "On line 619 in wp-login.php there is a redirect that does not take in account site_url setting which is braking experience in some cases. Therefore, the suggested fix is replace {{{#!php <?php wp_safe_redirect(remove_query_arg( array( 'key', 'login' )) ); }}} with {{{#!php <?php wp_safe_redirect( site_url(remove_query_arg( array( 'key', 'login' )) ) ); }}} " tinodjwp Tickets Awaiting Review 28212 determine_current_user filter with priority <10 gets overridden Login and Registration 3.9 normal normal Awaiting Review defect (bug) new has-patch 2014-05-12T01:35:55Z 2020-10-24T03:56:24Z "Introduced in #26706. `wp_validate_auth_cookie` was shoehorned into this filter, and as such, doesn't return what the filter expects. On any error at all, it returns `false`, even if the ""error"" is that the cookie isn't set. If a function hooked into a lower priority (i.e. <10) returns a user ID, this will then be overridden by the built-in auth cookie." rmccue Tickets Awaiting Review 54246 wp_logout sometimes causes 'upstream sent too big header' Login and Registration normal normal Awaiting Review defect (bug) new has-patch 2021-10-12T14:15:58Z 2021-12-06T07:09:33Z "I'm using nginx as a proxy for my wp. By default setting for 'fastcgi_buffer_size' is set to 4k. If you do a headers_list() during wp_logout. you will see the size is almost 3k. So if we combine this wp_logout with other hook which also sets couple headers. Sometimes this 4k limit reached and blowing out the buffer and resulting in a HTTP 500 error. The fix is to increase the 'fastcgi_buffer_size' setting. But increasing this setting will cause unnessasary memory usage for regular use. So Its recommended to decrease this huge list of setcookie especially each of this is so long." erikdemarco Tickets Awaiting Review 39927 Add support for CSS class and attributes in wp_login_form input fields Login and Registration 4.7.2 normal normal Awaiting Review enhancement new has-patch 2017-02-21T14:23:14Z 2019-04-24T22:05:26Z "I think adding support for class and a few useful attributes like placeholder and required for default login form (wp_login_form). In `wp-includes/general-templates.php` (line 402), if we can pass `$args` like this it would be nice: {{{ $args = array( ... 'placeholder_username' => __('Your login Id'), 'placeholder_password' => __('Your password (case sensitive)'), 'username_required' => true, 'password_required' => true, 'username_css_class' => 'form_control, 'password_css_class' => 'form-control 'username_remove_size' => true, 'password_remove_size' => true ); }}} This will have the following benefits: 1) We can use HTML5 native client side validation 2) We can tell WordPress to use custom class name (if none is supplied, default would be used) 3) Placeholder will help removing labels and save space 4) Size attribute if set to `true` will not be used. This is useful if I don't need it at all. Based on the above values the `<form>` element also could be modified like this: {{{ $form = '<form ...> <input type=""text"" <?php if($args[""username_required""] == true) echo ""required"" ... ?> </form>'; if($args['echo']){ echo $form; } else { return $form; } }}}" subrataemfluence Tickets Awaiting Review 23279 Add templates to style registration, signup, activation, login and password reset pages Login and Registration normal normal Awaiting Review enhancement new has-patch 2013-01-23T22:20:58Z 2017-02-22T09:54:26Z "As [https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2013-01-23&sort=asc#m539267 discussed in IRC], the ability to override the various user-related pages would be a great ability for themes to have. At the moment, it's pretty tedious to style these and there's very little control over the content of the page (some for good reason, others not so much). Related: #1155, #3123, #22139" rmccue Tickets Awaiting Review 34712 New filter: `reset_password_url` Login and Registration normal normal Awaiting Review enhancement new has-patch 2015-11-17T11:46:06Z 2017-08-27T22:36:01Z For example if I want make custom reset password page. sebastian.pisula Tickets Awaiting Review 36010 New password reset styling changes are confusing to casual users Login and Registration 4.4 normal major Awaiting Review enhancement new has-patch 2016-02-29T16:20:53Z 2020-02-08T14:04:34Z "I've noticed an uptick in how many of my users have been confused by the password reset process recently. In talking a few of them through the process, I realized that there are two spots where they are unsure of what to do: * On the password reset screen, the ""New password"" input doesn't look like the other inputs they've encountered, like at wp-login.php. * Once they click ""Reset password,"" they're expecting to receive an email containing the new password (and aren't realizing that the characters in the ""new password"" box are the new password). So, when they're redirected to a standard login screen, they're doubtful. About the first issue, I'm attaching mockups of the reset password screen with less styling. It's less visually interesting to advanced users, but maybe less is more for less experienced users. To help with the second issue, adding an instructional banner might help. For instance, if we were to redirect on submission of the ""reset password"" form to `wp-login/?newpass=true` or similar, then we could offer some guidance. See attached images. Thanks for your consideration. " dcavins Tickets Awaiting Review 31682 reg_passmail message on login.php needs filter Login and Registration 4.1.1 normal normal Awaiting Review enhancement new has-patch 2015-03-18T13:22:43Z 2017-03-01T00:30:22Z "reg passwords is hardcoded to the login.php: {{{ <p id=""reg_passmail""><?php _e('A password will be e-mailed to you.') ?></p> }}} So it appears even if you do some other ways of delivering passwords. E.g. i want to first check the registrating person and then send them the password, not immediately, so i need to change this message that would reflect this, and the only option now is to filter global gettext, what is not optimal. Proposed solution - replace this row with {{{ <p id=""reg_passmail""><?php echo apply_filters('reg_passmail',__('A password will be e-mailed to you.')) ?></p> }}} " thomask Tickets Awaiting Review 40768 site.com/login should not redirect to login page when user is already logged in Login and Registration normal normal Awaiting Review enhancement new has-patch 2017-05-15T13:53:08Z 2023-08-18T11:01:29Z "When I am already logged in I should not be redirected to Login page if I type in `mysite.com/login`. Rather WordPress should be able to decide which page I should be on in this situation. Being redirected to Login page even when I am already logged in must be treated as a bug. The reason is I am being able to login as a different user by going to login page directly when I am already logged in! For example if I am already logged in as admin and type in `mysite.com/login` I should directly be taken to `wp-admin`. Same decision could be taken for different user privileges like if I am logged in as a subscriber or as a participant then I might land on site's home page. Inspired from #40762 I have modified the decider so that WordPress can take this decision itself and stop landing logged in users to login page." subrataemfluence Tickets Needing Feedback 48222 """Show password"" button overlaps with the LastPass icon" Login and Registration 5.3 normal normal Future Release enhancement assigned has-patch 2019-10-05T14:29:48Z 2022-09-15T20:51:47Z "The new ""Show password"" button added to login screen in [46256] overlaps with the LastPass extension icon. Tested with Google Chrome 77 on Windows 10. This only happens on Log In and Reset Password screens. The Edit User screen is OK, as the button there is separate from the input." SergeyBiryukov Tickets with Patches 30227 Inaccurate wording when creating a user with a reserved email address Login and Registration 3.3.2 normal normal defect (bug) new has-patch 2014-11-01T06:16:43Z 2020-02-06T19:47:07Z "If you try to create a user on multisite using an email address that is tied to an unconfirmed user, you'll get this notice That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing. ""Please check ''your'' inbox"" seems to imply that the logged in user should check their own inbox for an activation email. Not sure of the best way to reword that so it's clear without being overly wordy. Possibly something like That email address is reserved pending activation. It will become available in a couple of days if left unconfirmed. or That email address is reserved. An activation email has been sent to that address. If left unconfirmed it will become available in a couple of days. Also, ""couple of days"" could be any time less than 2 days, so perhaps a dynamic value could be used here giving a better approximatation of the time remaining till the unconfirmed address will be freed up. ''This is referenced in #20817''" trepmal Tickets with Patches 13655 Login/Install/User Edit should stripslashes() $_POST data Login and Registration 3.0 normal normal defect (bug) new has-patch 2010-05-31T11:33:17Z 2019-06-04T20:02:12Z "Following on from #13654 All Login/Registration/Install/User Edit functionality should stripslash $_POST data. At present, it seems that we do not stripslash at all. For existing user passwords, we should migrate passwords to their non-stripslashed versions: [5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.[[BR]] [5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..[[BR]] [5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?[[BR]] [5/31/10 6:35:19 AM] Dion (dd32): yep " dd32 Tickets with Patches 43536 Network registration page sabernhardt* Login and Registration normal normal Future Release defect (bug) accepted has-patch 2018-03-13T10:23:17Z 2022-09-27T23:04:14Z "Hi, The registration page for the WordPress Multisite version, has, inside its body, the class page-id-xxx where xxx is the id of the page_on_front. This is in my opinion a bug, and makes impossible to customize this page via CSS because every rule will be also referred to the page_on_front. Then it should be useful to have a custom css on the body of the network registration page, something like network-registration-page. Thanks." SGr33n Tickets with Patches 35736 Replace 'Lost Password' phrase with 'Reset Password' chriscct7* Login and Registration normal normal defect (bug) accepted has-patch 2016-02-05T02:04:28Z 2020-02-06T19:46:34Z "This is a simple terminology change with a huge impact on the end user. Since v4.3, WordPress is no longer sends passwords via email. WordPress sends only password reset links. WordPress also notifies by e-mail when a password is changed. Across WordPress core, the old ""'''Lost my password?'''"" phrase already replaced with the new ""'''Reset Password'''"" / ""'''Password Reset'''"" phrases. But in some places we still use the old ""'''Lost my password?'''"" phrase. This ticket aim is to replace the remaining strings in the login page, and in email notifications. === Login Page === In the reset screen, the page title is ""'''Password Reset'''"". But in the ""'''Login page'''"", the 3 action links under the form - '''Login''' / '''Register''' / '''Lost your password?''' We should replace the old '''Lost your password?''' phrase with the new ""'''Reset Password'''"" action. === Mail notifications === When WordPress notifies by e-mail that the password is changed, we use the ""'''Password Lost and Changed for user...'''"" phrase. Why not simplify this? ""'''Password Changed for user...'''""" ramiy Tickets with Patches 35018 The authentication check modal dialog appears just once Login and Registration 4.4 normal normal defect (bug) new has-patch 2015-12-11T17:12:25Z 2019-06-04T20:19:17Z "Noticed while investigating on #34951. To reproduce: 1. edit a post 2. open a new tab, go in some other admin screen and log out 3. in the tab with the edit post screen, after a while the authentication modal dialog appears 4. login again using the modal dialog 5. repeat step 2 The authentication modal dialog won't appear again because, as far as I see, when it gets hidden the custom event that triggers the dialog gets removed. See `hide()` in `/wp-includes/js/wp-auth-check.js` {{{ $(document).off( 'heartbeat-tick.wp-auth-check' ); }}} Not sure why the event is removed." afercia Tickets with Patches 20116 Welcome User Email in Multisite Can't Be Changed Login and Registration 3.3 normal normal defect (bug) new has-patch 2012-02-24T21:44:28Z 2019-06-04T20:03:14Z "Reproduced this on 3.3 and 3.4-aortic. Go to /wp-admin/network/settings.php Add 'New' to the sentance 'Welcome User' to make it 'Welcome New User' Hit update. Page refreshes, text does not change." Ipstenu Tickets with Patches 36439 Wrong language when resetting password johnbillion Login and Registration normal normal Future Release defect (bug) reviewing has-patch 2016-04-07T09:29:24Z 2021-10-20T15:16:27Z "When using WPML (or other multilanguage plugin) along with multisite, the reset password email comes in wrong language, as the reset password form is sent to network_site_url() instead of site_url(). I think a proper way should be: <form name=""lostpasswordform"" id=""lostpasswordform"" action=""<?php echo esc_url( site_url( 'wp-login.php?action=lostpassword', 'login_post' ) ); ?>"" method=""post"">" vasikgreif Tickets with Patches 27632 `wp_registration_url()` doesn't have a redirect argument chriscct7 Login and Registration 3.6 normal normal defect (bug) reviewing has-patch 2014-04-02T12:05:53Z 2019-06-04T20:07:13Z "There is a redirect argument for each of the login, logout, lostpassword url functions, but for the registration url function. Omission or done on purpose?" Denis-de-Bernardy Tickets with Patches 57394 wp_insert_user allows the new user to have a username equal to an already registered email audrasjb Login and Registration 6.1.1 normal normal Future Release defect (bug) assigned has-patch 2022-12-28T23:54:02Z 2024-02-08T20:50:52Z "Scenario: User A is an administrator, has username = 'admin' and email = 'admin@domain.com'; User B registers (open to register wp install) with username = 'admin@domain.com' and email = 'test@gmail.com'; In my case, i use both users, one to admin the website, and the other to simulate an customer user. Both users had same password. When i tried to log in with administrator user by email, i end up logged in the as user B. Then i changed User B password to not conflict, and it works as it should, if i set user A password it gets logged in as user A and if i use User B password it gets logged in as User B. I don't think this is a security issue, but allowing an user to be registered with another users email as username could be annoying and confuse some website administrators for scams or something else. To solve this issue, i just filtered username_exists filter and checked if the username was existing email. {{{#!php public function __construct() { add_filter(""username_exists"", array($this, ""username_exists"")); } public function username_exists($user_id, $username) { if (email_exists($username)) { $user = get_user_by(""email"", $username); if ($user->exists()) { return $user->ID; } } return $user_id; } }}} " buutqn Tickets with Patches 35858 """wpmu_welcome_notification"" has a filter post-processing routines in wrong place" Login and Registration 3.0 normal normal enhancement new has-patch 2016-02-18T08:54:11Z 2019-06-04T20:22:37Z """wpmu_welcome_notification"" has a filter post-processing routines in wrong place which renders the filter mostly useless. Nearly identical ""wpmu_welcome_user_notification"" has it done corectly. Diff/Patch attached. " mwillberg Tickets with Patches 32508 Action Hooks for empty username and empty password Login and Registration 4.3 normal normal enhancement new has-patch 2015-05-27T16:19:13Z 2019-06-04T20:14:06Z "While you could previously fire an action on ''wp_login_failed'', there were no hooks for an empty username or an empty password. This patch adds ''wp_login_failed_empty_username'' and ''wp_login_failed_empty_password''. ''wp_login_failed_empty_username'' passes no arguments. Similar to ''wp_login_failed'', ''wp_login_failed_empty_password'' will pass the entered username. " jwarren Tickets with Patches 28528 Action in wp-login.php Login and Registration normal normal enhancement new has-patch 2014-06-13T13:28:21Z 2019-06-04T20:08:10Z "Hi, I was thinking that wp-login should have some do actions, and more customization possible, like filtering username and password inputs. Is it in program? Thanks :)" SGr33n Tickets with Patches 35177 Introduce a separate function for the login form action URL Login and Registration 4.4 normal normal Future Release enhancement new has-patch 2015-12-21T03:34:52Z 2023-09-18T20:44:31Z "See #34925, #35103. I have always understood `wp_login_url()` to mean ""The url which one can visit to use a login form"" but not necessarily the url to which the form data is posted. Previous to 4.4.0 the login form generated by `wp_login_form()` had the action hard coded to `wp-login.php`. This made it easy (and not uncommon) for users to have `wp_login_url()` filtered to point to a custom page. It was also easy for these users to have a shortcode put a login form on that page which draws from `wp_login_form()`. They didn't need to worry about making their page handle the posted data since the form was hard-coded to post the form submission to `wp-login.php`. The patch proposed in #34925 fixes the problem outlined there, but doesn't fix the bug described here. The desired action is that the function `wp_login_url` should not be used to get the url to which the form should be submitted. We need another way of determining the url to post the data to. I've written a function, `wp_login_handler_url()` which solves the problem here and the problem from the other ticket. Now we can use `wp_login_url()` and `wp_login_handler_url()` separately. By default, they are going to both be pointing at `wp-login.php`, but users can now filter `login_url` while still allowing the login form post data to be sent to `wp-login.php`. If we commit this patch, we could (and should) search through core files for use of `site_url('wp-login.php')` and instead use either `wp_login_handler_url` or `login_url` depending on the circumstance of use. The spirit of the original change was good. We shouldn't have hard-coded references to wp-login.php, we should have a function and one place that can be filtered. And attempting to use the existing function, `wp_login_url()` to get that url was a good idea, but its obvious that two separate but similar functions are needed here." khag7 Tickets with Patches 33295 Login: Remove decoration from translation strings Login and Registration 2.5 normal normal enhancement new has-patch 2015-08-06T19:13:30Z 2021-07-15T18:41:21Z "In recent default themes we've begun to remove decorative icons like arrows and carets from translatable strings and add them through CSS. We should do the same on the login screen. It would also make it easier to customize styling of the page." obenland Tickets with Patches 31928 Move wp-signup.php functions to a wp-includes directory Login and Registration normal normal Future Release enhancement new has-patch 2015-04-08T01:51:48Z 2022-11-22T00:29:16Z "Right now, all of the functions that deal with multisite registration are located in the `wp-signup.php` file, mixed in with control and template logic. This makes it difficult to reuse any of the registration functionality and makes it harder to create a custom registration experience for a network. I'd propose moving all of the functional logic into a file in the `wp-includes` folder and include that file at the the beginning of the registration page, at minimum. Additionally, we could big and make wp-signup.php a dummy file and put everything into the wp-includes folder, as @markjaquith suggests in #31744. Even so, I think the functional logic should be separated out from the rest." joemcgill Tickets with Patches 28352 New filters in wp-activate.php voldemortensen Login and Registration 3.0 normal normal enhancement assigned has-patch 2014-05-25T08:54:00Z 2019-06-04T20:07:52Z "Added two new filters to filter content being displayed on activation confirmation or error. `signup_activation_success` and `signup_activation_error`, it allows to change the default activation message being displayed" UmeshSingla Tickets with Patches 28351 New filters in wp-signup.php Login and Registration 3.0 normal normal enhancement new has-patch 2014-05-25T06:20:01Z 2019-06-04T20:07:48Z "Added two new filters in wp-signup.php `confirm_user_signup` and `confirm_blog_signup`, they allow a user to filter the message being printed on signup confirmation after successful user or blog registration. Currently the wp-signup.php file does not provide enough flexibility to display a custom confirmation message, although it should be a easy thing. " UmeshSingla Tickets with Patches 57157 Reduce external resources for wp-login.php rajinsharwar Login and Registration normal normal Future Release enhancement assigned has-patch 2022-11-20T05:18:42Z 2024-02-12T14:58:34Z "The login page is quite heavy. - The `user-profile` script adds `zxcvbn`, `wp-util`, jQuery, etc. (about 1MB together). When not resetting the password, a small inline script might be used. - The Dashicons stylesheet (about 60kB) is rather large for 3 icons if they could be inline SVG instead. - Because the login page does not include `locale-` body classes, `l10n.css` only change the body font for RTL languages. If login.css sets that font instead, the stylesheet could also specify 'Arial Hebrew' with `body.rtl:lang(he-IL)`. However, the separate `buttons` and `forms` stylesheets could remain as dependencies." sabernhardt Tickets with Patches 35829 Separate functions from wp-login.php Login and Registration normal normal enhancement new has-patch 2016-02-14T13:10:10Z 2019-06-04T20:22:28Z "There are some functions in `wp-login.php`. But it makes hard to customize login page. (e.g. [https://github.com/georgestephanis/two-factor/pull/62 2FA Feature plugin]) Related: #20279" extendwings Tickets with Patches 35427 add filter on the wpmu_signup_user() meta values in user-new Login and Registration 3.0 normal normal enhancement new has-patch 2016-01-12T20:49:48Z 2019-06-04T20:20:51Z "I want to add additional meta when signing up a new user so I need a filter to allow this '''note'''. the s2member multi-site setup requires c a core mode to allow this " pbearne Tickets with Patches 35422 only exit if the redirect is true when registering on multisites Login and Registration normal normal enhancement new has-patch 2016-01-12T18:55:09Z 2022-02-19T08:10:40Z " in wp-login.php we do a redirect to (wp_signup_location wp-signup.php) when registering on multi sites and die we should only die if the redirect is true I also want to this patch added to save me from having to edit a core file inorder to install s2member on multisite This plugin has install instructions that have us rem out the redirect and exit ` {{{#!php <?php case 'register' : if ( is_multisite() ) { $sign_up_url = network_site_url( 'wp-signup.php' ); // Multisite uses wp-signup.php // Modified for full plugin compatiblity. //wp_redirect( apply_filters( 'wp_signup_location', $sign_up_url ) ); //exit; } }}} ` I would like to change this to use the filter to remove the location and cause the wp_redirect to return false" pbearne Tickets with Patches 18287 wp-login.php - Logo URL should be relative (affects MultiSite) Login and Registration 3.2 normal normal Future Release enhancement new has-patch 2011-07-29T00:31:49Z 2020-01-06T17:40:30Z "If you go to your domain.com/wp-login.php page it has a WP logo that links back to domain.com If you're using multisite and go to subsite.domain.com/wp-login.php, it links back to domain.com If you're using multisite and you MAP a domain and go to mappeddomain.com/wp-login.php, it links back to domain.com I can see why this would have been done. It points to network_home_url() which is perfectly sensible for MOST situations. But maybe we should just honor the site on which people are trying to login, so that it's all relative. Given the link on the bottom (back to...) goes to the relative site, this is a logical change. I would say to keep the EMAILS for password resets as is, since the network is in charge of it all, but the front end interface should be consistant. I did a quick test and this works fine on Single and Multi (as expected). So ... here's my first diff!" Ipstenu Tickets with Patches 37522 reset password and lost password form functions voldemortensen Login and Registration normal normal Future Release feature request assigned has-patch 2016-07-30T09:07:07Z 2019-02-21T09:36:45Z "Wordpress provides the {{{wp_login_form}}} function that can be placed anywhere on our wordpress site through shortcodes, etc. But I couldn't find a function for the ''reset password'' and ''lost password'' form. Would it be possible to create those functions as part of Wordpress itself? I'd like to avoid copying code from the wp core files (wp-login) into my own code. I prefer to use Wordpress built-in functions as much as possible. " mireillesan Unpatched Bugs 27165 Incorrect nonce supplied when authenticated session expires Login and Registration 3.8.1 normal minor defect (bug) new has-patch 2014-02-20T11:55:44Z 2019-06-04T20:06:52Z "I was using a nonce (with action name) for a nopriv ajax request and found nonce supplied via page load was invalid, whereas nonce supplied via ajax request was valid. This only occurs when admin area prompts to re-authenticate current user. In my system, a nonce (action 'xyz', say) is given via localize script to the client on page load. This nonce is then used to verify a subsequent nopriv ajax request. This request then responds with the latest nonce (for 'xyz') (which may be the same, of course) for any further ajax requests. However, I suddenly found that upon page reload, the nonce provided via localize script was invalid. Assuming this was a bug in my code, I commented out nonce verification in my action function. I then discovered that the ""new"" nonce being supplied in the ajax response was always different to the initial nonce despite the same action name being used in its creation. On further experimentation it became apparent that the nonce supplied by ajax response was valid and did verify with further ajax requests. I then found I had the admin area open in a separate tab and it was prompting me to re-authenticate. Upon logging back in the nonces realigned and worked again. tl;dr: Requests by ajax consider current user differently to fresh page load (for nonces at least) when in logged in limbo. The bug is that it shouldn't. It's a very minor issue but it was very confusing and took me quite some time to find the somewhat non-intuitive solution." joe_bopper Slated for Next Release 55343 "Add Tooltip to ""Remember Me"" (WP Login Form)" rajinsharwar Login and Registration normal normal 6.6 enhancement assigned dev-feedback 2022-03-08T16:33:44Z 2024-02-12T14:59:54Z "Currently, WordPress' login form has a checkbox labeled ""Remember Me."" Over the years, there's been some debate over the verbiage used for ""Remember Me"" (say, versus ""Stay Logged In"" or ""Keep Me Logged In"") and what it really means. To eliminate any confusion, this is to request the [https://ibb.co/fkqN7Vz /addition of a tooltip] next to ""Remember Me"" in the form of a question (?) mark. Further, the tooltip can offer a security warning to all users. The content (text) for the tooltip could be: ""**Selecting Remember Me reduces the number of times you’ll be asked to log in using this device. To keep your account secure, use this option only on your personal devices.**"" Also, in anticipation that this enhancement request will be approved, I would like to recommend updating the [https://developer.wordpress.org/reference/functions/wp_login_form /affected codex page] for the login form to add a code snippet that will allow developers to change the content (text) of the tooltip to suit their needs. The above would be a nice addition or update to WordPress' login form. Thank you." generosus Tickets Awaiting Review 44333 Password hint label needs to be re-worded and needs to have a minimum password length check Login and Registration normal major Awaiting Review defect (bug) new dev-feedback 2018-06-08T14:39:10Z 2018-06-08T21:28:06Z "When resetting password, the help text under password box says: {{{ Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! "" ? $ % ^ & ). }}} Although it says **should be at least twelve characters long**, I am able to use only one character! 1. The above help text needs to be re-worded with some like: {{{ Hint: The recommended length of the password should be at least twelve characters and must have at least X characters. To make it stronger, use upper and lower case letters, numbers, and symbols like ! "" ? $ % ^ & ). }}} `X` can be a number say 6, 8 etc. 2. I believe there needs to be a minimum length check." subrataemfluence Tickets Awaiting Review 44334 'Invalid username or email' can just be 'Invalid username' in retrieve_password function Login and Registration normal normal Awaiting Review enhancement new dev-feedback 2018-06-08T15:04:20Z 2018-06-08T15:56:11Z "Since `strpos` returns `false` if a character is not found in between the input string and returns `0` if found at the beginning of it the error message `There is no user registered with that email address.` will only come up if user could not be located with the supplied email address. For anything else we can just use `Invalid username`. Example: `myname@gmail.com` - Error message: There is no user registered with that email address. - This is correct since strpos only returns true if @ is somewhere within the string or at the end. Example: `@myname` - Error message: Invalid username - No need to add the phrase or email Example: `@@myname` - Error message: Invalid username - No need to add the phrase or email Example: `myname` - Error message: Invalid username - No need to add the phrase or email" subrataemfluence Tickets Awaiting Review 26474 Add Filter to Username/Password Fields on Login Form? Login and Registration 3.8 normal normal Awaiting Review enhancement new dev-feedback 2013-12-07T18:06:49Z 2017-05-13T21:39:09Z "As a state institution, we are required to remain PCI-compliant. One of the areas we've been dinged in scans in the past, albeit an area that they consider ""low risk"", is the fact that the username and password fields allow autocomplete. I understand that it's probably not preferable for everyone using WordPress to have autocomplete turned off on those fields, but it would be nice if it was simple to at least filter those fields to turn it off (or, at the very least, add that as one of the ""args"" that are used when the form is built). This should obviously be used both in wp-login.php and in the `wp_login_form` function within wp-includes/general-template.php I'm happy to work up a patch for this if this is something that might be supported. Thanks." cgrymala Tickets Awaiting Review 40065 Check for invalid user before `lostpassword_post` in `retrieve_password()` Login and Registration 4.7.3 normal normal Awaiting Review enhancement new dev-feedback 2017-03-07T22:14:22Z 2018-05-04T01:18:16Z Some errors are added before `lostpassword_post` and one is added after. It'd be nice if all of the errors were present when the action is called. This patch fixes that. jfarthing84 Tickets Awaiting Review 34466 wp_register_form, wp_lost_password_form function Login and Registration 4.4 normal normal Awaiting Review feature request new dev-feedback 2015-10-27T14:48:11Z 2017-02-22T09:57:13Z "Hi, We currently have a wp_login_form function to display the login form, however, we do not currently have an opposite for the registration form. '''Should look into:''' wp_register_form wp_lost_password_form " atomicjack Candidates for Closure 60529 "Filter to disable ""password reset""" Login and Registration normal normal Awaiting Review defect (bug) new dev-feedback 2024-02-13T16:58:45Z 2024-02-20T11:39:48Z "there is existing filter `allow_password_reset` which doesn't work as it might sound.. For example, setting that filter to `false` still allows the ""wp-login.php?action=lostpassword"" url continue to work. Many people today uses 3rd party authorizations (Google sign in, facebook, etc etc) and want to have disabled internal registration/password reset forms. It will be good to have a filter to disable ""Lost password"" capability completely. (Also, I assumed that if users are allowed to be registered on site, then it doesn't have any point to have ""Lost password"" disabled, so, the check includes whether ""registration is disabled"".)" ttodua Candidates for Closure 54299 Multisite: The link in the password retrieval email always points to the main-site Login and Registration normal normal Awaiting Review defect (bug) new dev-feedback 2021-10-20T14:59:52Z 2023-08-18T12:37:19Z "The link in the password retrieval email always points to the main-site. If the password reset was requested on a sub-site then the link in the email should point to that sub-site. This is important because the main-site may be in a different language to the sub-site." henry.wright Candidates for Closure 41236 Reset Password button text during the registration process Login and Registration normal normal Awaiting Review defect (bug) new dev-feedback 2017-07-04T14:05:11Z 2017-07-06T08:51:21Z "After completing the registration form at wp-login.php, the user is sent a ""Your username and password"" email which contains a link to the reset password page. Here, the user can set a password. The button on the page reads ""Reset Password"". The button text doesn't quite make sense. The user isn't resetting their password; instead, they are setting a password for the first time. Something like ""Set password"" seems more appropriate. " henry.wright Candidates for Closure 37870 Adding hints to login/registration form fields Login and Registration 4.6 normal normal Awaiting Review enhancement new dev-feedback 2016-08-29T21:22:51Z 2019-04-19T16:04:22Z "Could it be possible to clarify a bit the login/registration system for computer-illiterate people, by putting a grayed-out example of the kind of data they have to enter in each login field? I have already seen this on other websites, and it is very effective IMHO. For example: - ID: grayed-out johnsmith - Email: grayed-out john@smith.org - Etc. Of course, the grayed-out examples should be considered for i18n, so that the form displays examples relevant to each culture/language." davidbourguignon Candidates for Closure 46618 Change login behaviour to only set the test cookie when a user attempts to login instead of just on visiting the login page Login and Registration normal normal Awaiting Review enhancement new dev-feedback 2019-03-23T09:02:24Z 2019-04-05T05:13:50Z "Hello, I'm branching this from #44175 to account for the idea presented by @SergeyBiryukov; > I wonder if we could change the behavior to match the text, so that the test cookie is only set upon trying to log in, as that probably makes more sense. I'd be more comfortable with doing that in a major release though. The change would be to move the logic for the test cookie to be triggered upon the login action rather than the login page visit. Cheers" garrett-eclipse Candidates for Closure 45143 "If the ""recover password"" form submit button is double-clicked two emails will be sent" Login and Registration normal minor Awaiting Review enhancement new dev-feedback 2018-10-22T08:44:48Z 2019-03-18T12:11:56Z "Some users tend to double-click all buttons and links. On the password recovery form (/wp-login.php?action=lostpassword) when the submit button is double-clicked, two emails will be sent. At this point the user is confused about which link to use to recover the password and fails finishing the recovery. It would be good for the submit button to have a time limit or some other means to prevent a double-click from happening." Tiia Rantanen Candidates for Closure 58311 Validate Username for not to be a email and strip everything after @ Login and Registration normal normal Awaiting Review enhancement new dev-feedback 2023-05-14T18:09:52Z 2023-08-15T12:07:25Z "Right now it is possible to register user and place full email as Username and username is not supposed to be changed after. When site administrator is adding someone manually, it can be done easily as a mistake and reviling author's email for everyone to see and can be picked up from authors archive as well. Display name can be changed after, but it needs to be done manually, by default Username, Nickname and the Display name are equal. If some people already have @ in their usernames (and I think I've seen that somewhere), the only thing which can be done about this is to filter the Display name before output and strip the @ and everything after." oglekler Candidates for Closure 60737 invalid_email or user_email ? Login and Registration trunk normal minor Awaiting Review enhancement new dev-feedback 2024-03-10T21:40:10Z 2024-03-10T21:40:10Z "Hey there, I'm talking about login error keys. Here are the 3 things we can find in the WP Core: {{{#!php <?php $errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); $errors->add( 'invalid_email', __( '<strong>Error:</strong> The email address is not correct.' ) ); $errors->add( 'user_email', __( '<strong>Error:</strong> The email address is not correct.' ), array('form-field' => 'email', ) ); }}} The 1st is an error message when you try to login using an email address that is not used as a user in this site, the key is ""invalid_email"" The 2nd is an error message when you try to register a new user with an email address that is not correctly formatted, the key is ""invalid_email"" The 3rd is an error message when you try to update your personal profile with an email address that is not correctly formatted, the key is ""user_email"" So we have 2 keys and 2 messages (like ""A1 A2 B2"", should be ""A1 B2 B2"") but the message 2 is sharing both, we should clearly decide is ""invalid_email"" is when the email does not exists in our site OR when the email is not correctly formatted. I suggest that the 2nd message should share the ""user_email"" and let the ""invalid_*"" for the login stuff, like we already have ""invalidcombo"" or ""invalid_username"" that shares the same kind of issue. thanks for your reading time" juliobox Candidates for Closure 55193 login-form: Use the same id and class value between wp_login_form() and wp-login.php Login and Registration normal normal Awaiting Review enhancement new dev-feedback 2022-02-18T05:57:43Z 2023-08-18T12:05:40Z "Hi, below are the codes of login forms html output of `wp_login_form()` function, and wp-login.php page {{{ <!-- The html output of login-form in wp-login.php page --> <form name=""loginform"" id=""loginform"" action=""https://xxxxxxxxxx/wp-login.php"" method=""post""> <p> <label for=""user_login"">Username or Email Address</label> <input type=""text"" name=""log"" id=""user_login"" class=""input"" value="""" size=""20"" autocapitalize=""none""> </p> <div class=""user-pass-wrap""> <label for=""user_pass"">Password</label> <div class=""wp-pwd""> <input type=""password"" name=""pwd"" id=""user_pass"" class=""input password-input"" value="""" size=""20""> <button type=""button"" class=""button button-secondary wp-hide-pw hide-if-no-js"" data-toggle=""0"" aria-label=""Show password""> <span class=""dashicons dashicons-visibility"" aria-hidden=""true""></span> </button> </div> </div> <p class=""forgetmenot""> <input name=""rememberme"" type=""checkbox"" id=""rememberme"" value=""forever""> <label for=""rememberme"">Remember Me</label> </p> <p class=""submit""> <input type=""submit"" name=""wp-submit"" id=""wp-submit"" class=""button button-primary button-large"" value=""Log In""> <input type=""hidden"" name=""redirect_to"" value=""https://xxxxxxxxxx/""> <input type=""hidden"" name=""testcookie"" value=""1""> </p> </form> }}} {{{ <!-- The html output of login-form with wp_login_form() function --> <form name=""loginform"" id=""loginform"" action=""https://xxxxxxxxxx/wp-login.php"" method=""post""> <p class=""login-username""> <label for=""user_login"">Username or Email Address</label> <input type=""text"" name=""log"" id=""user_login"" class=""input"" value="""" size=""20"" tabindex=""0""> </p> <p class=""login-password""> <label for=""user_pass"">Password</label> <input type=""password"" name=""pwd"" id=""user_pass"" class=""input"" value="""" size=""20"" tabindex=""0""> </p> <p class=""login-remember""> <label> <input name=""rememberme"" type=""checkbox"" id=""rememberme"" value=""forever"" tabindex=""0""> Remember Me </label> </p> <p class=""login-submit""> <input type=""submit"" name=""wp-submit"" id=""wp-submit"" value=""Log In"" tabindex=""0"" class=""button button-primary""> <input type=""hidden"" name=""redirect_to"" value=""https://xxxxxxxxxx/""> </p> </form> }}} Look into same field between the two html outputs, you can see most of the p, label, and input tag has different values of the css ids and classes. for example: wp_login_form(): {{{<input name=""rememberme"" type=""checkbox"" id=""rememberme"" value=""forever"">}}} wp-login.php: {{{<input name=""rememberme"" type=""checkbox"" id=""rememberme"" value=""forever"" tabindex=""0"">}}} the ids are the same, but wp_login_form(): {{{<p class=""forgetmenot"">}}} wp-login.php: {{{<p class=""login-remember"">}}} the classes are different Can you make the ids and classes same, so it will be easier for me to make the two login forms ( `wp_login_form()` and wp-login.php ) with consistent style? " syshut Candidates for Closure 41663 Hooks for the back to login link in the footer of wp-login.php Login and Registration 4.8.1 normal normal Awaiting Review feature request new dev-feedback 2017-08-17T18:58:25Z 2021-07-20T15:59:58Z "In the following pull request: [https://github.com/WordPress/WordPress/pull/306/files] I introduced 3 new filters to the login footer area. With these filters you can customize the back to login link to your needs. " Fleuv Candidates for Closure 38789 Multisite sign-up improvements (potential roadmap) Login and Registration 3.0 normal normal Awaiting Review feature request new dev-feedback 2016-11-14T20:06:03Z 2019-03-25T21:18:22Z "The `wp_signups` database table has a few things not going for it: * No `_Query` class * No `WP_Signup` object class * No user interface for moderating them * No query or object caching * A `meta` database column vs. a `wp_signupmeta` database table * `wp-signup.php` is a pretty gnarly file, as is `wp-activate.php` A lack of support for this multisite feature means no one is very likely to use it. Most membership plugins (BuddyPress included) generally wrap around it, but also need to write a bunch of additional code to interface with what's here now. I took a stab at this last week, and made this plugin for a proof-of-concept: * https://wordpress.org/plugins/wp-user-signups * https://github.com/stuttter/wp-user-signups Pretty much all of the pieces are there, minus the meta-data table (which would not be very hard at all.)" johnjamesjacoby Tickets Needing Feedback 14949 Login gives false assurance of having logged out rajinsharwar* Login and Registration normal normal Future Release defect (bug) accepted dev-feedback 2010-09-23T10:39:34Z 2023-09-27T19:35:30Z "If you visit `wp-login.php?loggedout=true` while logged in, WordPress falsely tells you that ""You are now logged out."" This is a problem because it could lead you to think, e.g., that a public computer is no longer authenticated with access to your WP admin. Patch redirects a still-authenticated user back to the admin from the login page if she requests the above page without actually having logged out." filosofo Tickets Needing Feedback 36179 Password protected post with force_ssl_admin() and domain mapping not working Login and Registration 4.3.1 normal normal defect (bug) new dev-feedback 2016-03-09T13:48:42Z 2019-06-04T20:23:26Z "Hi, I'm running a WordPress multisite with ""define(FORCE_SSL_ADMIN, true)"" and domain mapping. Our network site is using ssl (where users login to administrate their site). But a domain mapped site is not using ssl, which is working fine. So, I have a post that is password protected. When I'm on the mapped domain and submit the password protect form, I then get redirected to ""wp-login.php?action=postpass"" over https and get a security warning. It should not redirect me to https when I'm on a non-ssl mapped domain. Thanks" tcdeskwolf Tickets Needing Feedback 16482 Visibility: password-protected breaks with redirected domains Login and Registration 3.0.4 normal normal defect (bug) new dev-feedback 2011-02-07T18:58:45Z 2019-06-04T20:02:37Z "Pre-requisite to reproduce: domain.com must redirect to www.domain.com (haven't tested with other subdomains than www, but I'm sure it would be the same). 1. password protect a page 2. visit domain.com/protected (which redirects to www.domain.com/protected) 3. enter password 4. something about the redirect OR the way the password is stored/checked is broken; you are redirected to the wp-admin (WordPress login) page. Sanity check: 1. password protect a page 2. visit www.domain.com/protected (requiring no subdomain redirect) 3. enter password 4. successful log-in " monkeyhouse Tickets Needing Feedback 46748 authenticate filter hook does not behave as expected for priority values less than 20 SergeyBiryukov* Login and Registration 3.7 normal normal Future Release defect (bug) accepted dev-feedback 2019-04-01T12:33:38Z 2022-04-04T06:23:03Z "Returning null or a WP_Error object from functions bound to the [https://codex.wordpress.org/Plugin_API/Filter_Reference/authenticate authenticate] filter at priority values less than 20 does not prohibit a user from logging in. Consider the following snippet: {{{#!php <?php <?php /* Plugin Name: Prohibit Login Description: Proves that the authenticate filter does not work as expected with lower priority Author: Robert Peake Version: 0.1 */ function prohibit_login($user_or_email, $username = null, $password = null) { return new WP_Error('authentication_failed','Prohibit Login plugin prohibited login'); } add_filter('authenticate', 'prohibit_login', 20, 3); }}} This code when activated as a plugin prohibits an admin user from logging in using wp-login.php and displays the message ""Prohibit Login plugin prohibited login"" as expected. Changing the value from 20 to e.g. 19 on the final line does not prohibit an admin user from logging in using wp-login.php. No message is displayed, and the login proceeds. (Note: this has been tested with all other plugins deactivated with the Twentynineteen theme using the latest nightly build.) While this is not a security problem in itself, because it is undocumented behaviour it could lead to security issues in plugins where an author assumes that, like other filter hooks, e.g. the default priority of 10 can be explicitly stated without side-effects. For this reason, I initially [https://hackerone.com/reports/519283 submitted a ticket on the HackerOne platform] just to be sure, but the ticket was closed as being a ""hypothetical"" vulnerability with out a ""clear PoC"", so I am filing this bug report instead." robert.peake Tickets Needing Feedback 50522 "stop setting ""older"" cookies with multiple path prefixes" Login and Registration 5.4.2 normal normal Future Release defect (bug) new dev-feedback 2020-07-01T13:38:23Z 2024-02-01T20:47:17Z "According to `wp_clear_auth_cookie()`, {{{#!php <?php // Auth cookies. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN ); setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN ); setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN ); setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN ); setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); // Settings cookies. setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); // Old cookies. setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); // Even older cookies. setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); // Post password cookie. setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); }}} Which usually means **19 cookies for a login**. This itself may represent up to **2.4 kB of header size** for that sole purpose. (Let's remind that many reverse-proxy has arbitrary limitation. Eg: HTTP2 push on Cloudflare at 3kB) An obvious first question is why decade-old cookies are still set instead of the minimal 11 cookies. We can also observe that in most configurations, **COOKIEPATH = /**, ADMIN_COOKIE_PATH and SITECOOKIEPATH are either equal or a s**ubpath of COOKIEPAT**H. As a consequence, these additional granular-path cookies are useless because the cookie is already set for the whole domain. This could further remove 2 or 3 cookies. Couldn't this be number of cookies halved?" drzraf Tickets Needing Feedback 31166 wpmu_signup_user_notification filter is incorrect Login and Registration 3.0 normal normal defect (bug) new dev-feedback 2015-01-28T20:30:03Z 2019-06-04T20:10:50Z "Simple ticket here, The wpmu_signup_user_notification filter seems to be filtering the wrong option {{{ if ( ! apply_filters( 'wpmu_signup_user_notification', $user, $user_email, $key, $meta ) ) return false; }}} If I'm thinking correctly, the filter should be filtering a boolean. If two filters are added to this and the first returns false, there is no way for the second filter to recover the $user variable. This is how I see it working WP4.1, /wp-includes/ms-functions.php line 919 {{{ if ( ! apply_filters( 'wpmu_signup_user_notification', true, $user, $user_email, $key, $meta ) ) return false; }}}" johnrom Tickets Needing Feedback 55459 Change Login Label name Login and Registration normal normal Future Release enhancement new dev-feedback 2022-03-25T09:31:21Z 2024-02-12T14:57:37Z "I wanted to change the Login Labels of my Login Page and couldn't find anything to hook as it is only labeled with raw values. It would be a lot better if there was anything else than gettext function to change the value. Maybe a filter. " wparslan Tickets Needing Feedback 24465 Introduce filter for user password on registration Login and Registration normal normal enhancement new dev-feedback 2013-05-30T17:12:35Z 2020-08-12T14:17:39Z We should introduce a filter within {{{register_new_user}}} on the auto-generated password to make it easier for plugins to handle setting custom passwords. jfarthing84 Tickets Needing Feedback 31821 Make interim login URL filterable johnbillion Login and Registration 4.2 normal normal Future Release enhancement reviewing dev-feedback 2015-03-31T14:36:20Z 2017-08-22T14:40:51Z Currently, there is no clean way to detect and filter the interim login URL, short of using the ''clean_url'' filter. Obviously, this is not ideal. Plugins that modify the login URL, like my plugin, Theme My Login, would definitely benefit from a direct filter on this. jfarthing84 Tickets Needing Feedback 31039 Move retrieve_password() from wp-login.php SergeyBiryukov Login and Registration normal normal Future Release enhancement reviewing dev-feedback 2015-01-16T20:26:08Z 2021-02-02T12:35:36Z Once considered in #20279, I am able to propose a sane way to separate {{{retrieve_password()}}} from {{{wp-login.php}}}. jfarthing84 Tickets Needing Feedback 20019 wpmu_validate_blog_signup(): Allow '.' and '-' in blog names Login and Registration 3.0 normal normal enhancement reopened dev-feedback 2012-02-10T23:04:29Z 2019-06-04T20:03:10Z "Canonical uses Wordpress 3.x multisite as part of voices.canonical.com, for employees who do not have or wish to list their personal blog. The code is stock, except for one patch we maintain, which allows blog names (currently in WP as lowercase alphanumeric only) to also include '.' and '-'. This matches our global username format. Attached is a patch extending wpmu_validate_blog_signup() to allow '.' and '-', with a tweak for the error text. We have been running the patch for awhile, and have not run across any problems with the rest of the code accepting this." fo0bar Tickets with Patches 54298 Multisite: resetpassform always posts to the main-site wp-login.php file Login and Registration normal normal enhancement new dev-feedback 2021-10-20T14:50:00Z 2023-10-01T01:52:18Z The reset password form always posts to the main-site wp-login.php file. If the reset password form on a sub-site is being used then I'd expect the form to post to the sub-site wp-login.php file. henry.wright Tickets with Patches 54761 Save the prefered language from login page (since WP5.9) Login and Registration 5.9 normal normal Future Release enhancement new dev-feedback 2022-01-07T17:17:33Z 2022-04-09T08:18:57Z "Hello, On WP5.9 a language switcher is added in the wp-login.php. Here is the dev note by @audrasjb https://make.wordpress.org/core/2021/12/20/introducing-new-language-switcher-on-the-login-screen-in-wp-5-9/ I think it should be great if choosing a language here will update the Language user meta to display the back-office in the same language as previously chosen. As per 1st test made, this doesn't currently update." sebastienserre Unpatched Bugs 30023 Chrome autofill password keeps showing after wp_attempt_focus clears password field Login and Registration 4.0 normal normal Future Release defect (bug) new dev-feedback 2014-10-17T17:30:50Z 2020-02-15T17:45:27Z "Chrome's autofill of remembered passwords causes an issue with wp_attempt_focus (defined in wp-login.php). The JavaScript function clears the password field, but Chrome still displays the field as filled out. Submitting the form results in the following error (obviously): * ERROR: The password field is empty. If people want to have Chrome autofill their password, I strongly suggest not to intervene. Not only are we going to annoy users by trying to hack around it (see ticket [ticket:24364]), but the hacks will also likely cause even more issues in a future Chrome release." Robbert S Unpatched Enhancements 36317 Introduce a cookie prefix default constant Login and Registration normal normal enhancement new dev-feedback 2016-03-24T01:41:57Z 2019-06-04T20:23:42Z "Right now, all of WordPress's cookies are prefixed with the same `wordpress` namespace. A problem arises with `advanced-cache.php` caching solutions that load before `wp_cookie_constants()` is called, where the cookie prefix cannot be guessed. The current work around is to stab at each cookie individually: {{{ // Auth cookie if ( defined( 'AUTH_COOKIE' ) && ( $this->cookie === AUTH_COOKIE ) ) { return true; } // User cookie if ( defined( 'USER_COOKIE' ) && ( $this->cookie === USER_COOKIE ) ) { return true; } // Logged-in cookie if ( defined( 'LOGGED_IN_COOKIE' ) && ( $this->cookie === LOGGED_IN_COOKIE ) ) { return true; } }}} And to special case the test cookie, like: {{{ // Generic 'wordpress' cookies (that are not test cookies) if ( ( substr( $this->cookie, 0, 9 ) === 'wordpress' ) && ( $this->cookie !== 'wordpress_test_cookie' ) ) { return true; } }}} But without a known and trusted cookie prefix, it's still an unpredictable environment. ----- I'd like to re-propose an 8 year old issue (#6413) to introduce a new default constant to define a cookie prefix. This could turn the above snippet into something at least slightly more sane, like: {{{ // Generic 'wordpress' cookies (that are not test cookies) if ( defined( 'COOKIEPREFIX' ) ) { $len = strlen( COOKIEPREFIX ); if ( substr( $this->cookie, 0, $len ) === COOKIEPREFIX ) && ( false !== strpos( $this->cookie, 'test_cookie', $len ) ) { return true; } } }}} A `COOKIEPREFIX` constant would also allow plugins an easy way to drop themselves inside of WordPress's cookie namespace, which will help them play more nicely in environments where WordPress is not the only application within the domain." johnjamesjacoby Candidates for Closure 35817 Force users to set strong passwords Login and Registration normal normal Awaiting Review enhancement new close 2016-02-12T16:31:38Z 2024-02-08T15:55:49Z "WordPress 4.3 added [https://github.com/dropbox/zxcvbn zxcvbn] for better password strength testing. The UI was also modified to push users to set strong passwords in various ways. * When setting a password, a strong one is generated for the user. * A user must check off an ""Are You Sure?"" checkbox to set a weak password. This is great. However, an ""Are You Sure"" checkbox is what stands between an easily hackable WordPress site and an exponentially stronger WordPress site. I would like to force users to set strong passwords in the UI. " ericlewis Tickets with Patches 36098 "Install: ""Repeat Password"" is not required when browser js is disabled" Login and Registration normal normal defect (bug) new close 2016-03-05T00:57:39Z 2020-02-16T21:35:57Z "Recreate: 1. Turn off browser JS. 2. Install WordPress. 3. Go to step 2. The ""'''Repeat Password'''"" field is marked as '''required'''. It's not. ---- Recreate this step by step: Leave all fields empty and press the install button. You will see an error saying: `Please provide a valid username.` Enter invalid username (use spaces). You will see an error saying: `The username you provided has invalid characters.` Enter valid username. You will see an error saying: `You must provide an email address.` Enter some text (not an email). You will see this error message: `Sorry, that isn’t a valid email address. Email addresses look like username@example.com.` If you provide a valid email, it will install WordPress. ''' Password is not required! '''" ramiy Slated for Next Release 60062 Add required attribute to username and password field in wp_login_form function. rcreators Login and Registration 3.0 normal normal 6.6 defect (bug) assigned 2023-12-13T16:56:11Z 2024-03-12T15:39:03Z "Add required attribute to username and password field in wp_login_form function. " alesflex Slated for Next Release 60726 The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2 joedolson* Login and Registration normal normal 6.6 defect (bug) accepted 2024-03-07T17:09:25Z 2024-03-07T19:33:35Z "According to new WCAG 2.2 success criterion for [https://www.w3.org/TR/WCAG22/#dfn-processes 3.3.7 redundant entry]. The criterion establishes that information previously entered by or provided to the user that is required to be entered again the same process is either: * auto-populated, or * available for the user to select There are 3 exceptions: * re-entering the information is essential, * the information is required to ensure the security of the content, or * previously entered information is no longer valid. Once the user has performed the process of requesting a new password, the redirected form should have the username filled-in to pass. As of now, this is the form that the user is redirected to: " estelaris Tickets Awaiting Review 55335 $user_login double escaped with incorrect/empty password in wp-login.php Login and Registration normal normal Awaiting Review defect (bug) new 2022-03-08T03:56:54Z 2023-10-11T20:35:15Z "First: {{{ if ( isset( $_POST['log'] ) ) { $user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : ''; } }}} Then: {{{ <input type=""text"" name=""log"" id=""user_login""<?php echo $aria_describedby_error; ?> class=""input"" value=""<?php echo esc_attr( $user_login ); ?>"" size=""20"" autocapitalize=""off"" /> }}} Fix is to late escape only, and remove the top one." johnjamesjacoby Tickets Awaiting Review 42610 Admin created account password reset process not reverse proxy friendly Login and Registration 4.9 normal normal Awaiting Review defect (bug) new 2017-11-17T21:08:41Z 2017-11-17T21:08:41Z "WordPress newbie, so feel free to point me to a better resolution. Couldn't find anything quite like this. Have WP running mostly correctly behind a reverse proxy. So no one ever directly touches blog.<domain>.com (the WP site), instead they access it through www.<domain>.com/blog If I create user accounts in the admin, it sends initial password reset links to the new accounts, which have a format like www.<domain>.com/blog/wp-login.php?action=rp&key=<hash>&login=<user> In wp-login.php, I see the case that catches the rp action, and it does something with the key and user parameters, then strips them off and redirects again to wp-login as follows: {{{#!php wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) ); }}} I'm unclear on why this line doesn't incorporate site_url as do several other places in nearby code. The user ends up getting a redirect to /wp-login.php. That is, from the '''user's perspective''' (not seeing the reverse proxy activity), it looks like: www.<domain>.com/blog/wp-login.php?action=rp&key=<hash>&login=<user> redirects to www.<domain>.com/wp-login.php?action=rp which is a 404 From the '''WP server's''' perspective, it told blog.<domain>.com/wp-login.php?action=rp&key=<hash>&login=<user> to redirect to /wp-login.php?action=rp which would have been fine if there were no reverse proxy involved. This is not the desired behavior in my case, and I would think it would be safe to redirect to <site_url>/wp-login.php?<query string with key and login removed> I can work around it in the main site's rewrite rules by forcing /wp-login to /blog/wp-login, but that seems as if it shouldn't be necessary. Thanks for your consideration." normjhansen Tickets Awaiting Review 51008 Issue with multisite new user registration Login and Registration 5.5 normal critical Awaiting Review defect (bug) new 2020-08-14T18:51:00Z 2020-08-14T19:01:50Z "I replicated this issue with a brand new install. I am using multisite setup. I updated to WP 5.5 and noticed it no longer allows you to register for the individual site. In this example(testsite1 is the sub-site), When a user clicks register -> test.com/testsite1/wp-login.php?action=register It'll redirect the user to the main site -> test.com/wp-signup.php When you sign up using that page, the user is not connected to any site within the network. However, the user does appear in wp-admin/network/users.php" onehare Tickets Awaiting Review 60801 New sessions are created when user authenticates but there already are active sessions Login and Registration 6.4.3 normal normal Awaiting Review defect (bug) new 2024-03-18T18:28:41Z 2024-03-19T11:49:09Z "**The problem:** When a user logs in to WordPress a new session is created. If the user opens a new browser tab and navigates to website/wp-admin, the user does not need to authenticate because of the session cookies are saved in the browser, which is the expected behaviour. The same happens even when the user closes the browser completely and reopens it within the duration of that session. However, if the user navigates to the URL *website/wp-login.php* on the website they are already logged in, the user is presented with a login page, and upon authenticating WordPress creates a new session and new cookies etc, instead of ""retrieving"" the existing logged-in session. **How to reproduce:** 1. Log in to a WordPress website 2. Open a new browser tab on the same browser (you can close the previous one) 3. Navigate to the login page of the same website you are already logged in to: *website/wp-login.php* 4. Log in At this point there are two different sessions for the same user in the database and in the browser the user has multiple sets of cookies for the different sessions. **The issues this causes:** 1. Excessive amount of unnecessary session data in the database. We've seen some large websites with tens of thousands of session entries in the database. 2. Site admins who try to control / limit / manage the number of simultaneous user sessions with third party plugins end up having a lot of problems, such as locking out legit users etc **Possible solution?:** There are a few possible solutions, however, the easiest one we can think of is to check for session cookies in the users' browsers whenever they access the *wp-login.php*, and if there are, retrieve that session." robert681 Tickets Awaiting Review 38769 Possible password reset loop Login and Registration normal normal Awaiting Review defect (bug) new 2016-11-12T13:11:48Z 2019-03-25T21:41:17Z " == Bug summary == After registering (wp-login.php?action=register) you get straight to the '''login screen''' with a small notice to check your email (wp-login.php?checkemail=registered). But logging-in is not even possible because users have to set their password via a link provided in their email in the first place. '''If users nevertheless try to login they get a misleading error message that could lead to an endless loop of password reset and the user will not be able to register.''' '''Bug 1:''' There should be no login form where a user cannot log-in. (attachment 1) '''Bug 2:''' There should be the message that the user has to set the password first. (attachment 2) '''While these things seems to be tiny the results are severe.''' == Bug description == If users register they see after submitting the register form the login form with the message ""Registration complete. Please check your email."" on top. They often overlook this message and try to log-in even if they didn't set a password yet. This leads to situations where users are not able to register: 1. When users try to log-in directly after registration they get the message that the password is wrong. (see attachment) 2. Because of the misstated error message they go to the ""Lost your password?"" form and try to get a new password. 3. They now check their email for the first time and open the email from the registering (!) and not the ""lost password"" email. 4. They click on the link for setting the password in the register email. 5. This link is invalid because of step 2. 6. They then try again to get a new password. 7. They go back to their email account and open the email from step 2 (!) and open this link. Because of step 6 the link is again invalid. 8. They try to get a new password. 9. And so on. Having the impression to be trapped in an endless loop they often think that the website is full of bugs, are not interested to register anymore or contact the support for removing bugs. '''I could provide dozen if not even hundreds of cases where this happened to my website.''' == How to reproduce the bugs?== 1. Try to register. 2. Try to log-in even without a password (put your usual password in it). 3. Set you password back after the error message. 4. Go to your email account and open the register email. Click on the link. 5. You get the message that the link is invalid. Set you password back. 6. Open the email from step 3 and so on. == tl;dr == After registration you see the login form even if you don't set a password yet. If you try to log-in (even if you don't set a password yet) you get a misleading error message that could trap you in an endless password reset process. Users than give up to register or contact support. It is not just theory. Every day, I lose angry customers or have to support them. Please have a look to the attachments." yetAnotherDaniel Tickets Awaiting Review 42481 TEST_COOKIE and LOGGED_IN_COOKIE secure flag create issues on non-secure login Login and Registration 4.9 low normal Awaiting Review defect (bug) new 2017-11-09T01:30:29Z 2019-04-29T08:24:10Z "Once a user has accessed the login form over https (possible without a valid ssl license, ignoring the browser warning) the WordPress TEST_COOKIE will have the secure flag set https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L433 When that user goes back to login over http, this will no longer be possible. The test cookie will be ignored by the browser because of the secure flag. Without the test cookie, all login attempts will be redirected back to the login form with a warning about cookies not being set by the browser. Most users will not know why this happens and will no longer be able to log in. The user will have to go back to https, open the developer toolbar, delete the cookie and then back to http. Only then the test cookie will be set again, this time without the secure flag. A work-around to prevent users from being locked out like this, is to make the test cookie name ""http/s aware"" with something like this in wp-config.php: {{{ $secure = ( isset($_SERVER['HTTPS']) && 'on' == $_SERVER['HTTPS'] ) ? '_sec' : ''; define( 'TEST_COOKIE', 'wordpress' . $secure . '_test_cookie' ); }}} (using wordpress_sec for secure cookie similar to the auth cookie) But... the real question is: '''Why does the test cookie need the secure flag at all?''' There is no sensitive information passed and it's only there to (as the name suggests) test for cookie unaware or blocking browsers. At least as far as I can tell, there would be no possible problem with simply removing this cookies secure flag. This will not affect any sensitive login/session cookies secure flags. Or am I mistaken? Are there use cases where the browser can be set to accept cookies over https while blocking them over http? " RavanH Tickets Awaiting Review 49633 Trim cookie paths Login and Registration 5.3.2 normal normal Awaiting Review defect (bug) new 2020-03-12T16:00:09Z 2020-03-12T16:00:09Z " I had just migrated a WP website that was very old. I encountered an issue that took several hours to debug. The site was on PHP 5.6 and I updated everything to use PHP 7.3. At PHP 5.6 this was not an issue, but was at PHP 7.3. The site seemed to be loading fine. No errors in the PHP error logs. However, I was not able to login to the WP Admin. After I defined error logging true. I get this: [[Image(https://kevinbrent.com/images/1.png)]] After several hours of debugging I found this: [[Image(https://kevinbrent.com/images/2.png)]] I was able to fix this in the DB. But, feel that WP could simply trim spaces from cookie paths since they are not allowed by PHP. [[Image(https://kevinbrent.com/images/3.png)]] There are 3 constants that require this attention. {{{ COOKIEPATH }}} {{{ SITECOOKIEPATH }}} {{{ PLUGINS_COOKIE_PATH }}} " Kevin Brent Tickets Awaiting Review 59373 TypeError: str_contains() argument must be of type string, array given in wp-login.php Login and Registration 6.3.1 normal normal Awaiting Review defect (bug) new 2023-09-16T23:06:41Z 2023-10-05T01:24:43Z "This seems to affect PHP 8.0 and higher. Downstream report at https://github.com/jquery/infrastructure-puppet/issues/34 > Seems to be an upstream issue where a `$_GET` or `$_REQUEST` key is checked for existence but not for type, thus prone to misuse when crafting query parameters in the array-form that PHP supports. Easily reproduced, for example, at: * HTTP 500 https://timotijhof.net/wp-login.php?redirect_to[x]=y * HTTP 500 https://jquery.com/wp-login.php?redirect_to[x]=y " TimoTijhof Tickets Awaiting Review 47088 Visting wp-login.php whilst logged in logs you out Login and Registration 3.0 normal normal Awaiting Review defect (bug) reopened 2019-05-01T08:00:01Z 2023-10-10T00:28:18Z "I leave multiple, regularly-used WP admin tabs open in a browser window. The login sessions time out, as expected, resulting in tabs with URLs like https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2Fadmin.php%3Fpage%3Dfoo-bar&reauth=1 If log in on such a tab to do something, then switch to another tab that also has that type of auto-logged-out URL, I am immediately logged out of the site. I would expect WP to realise that I am logged in and simply honour the redirect already in the URL, or at least provide the choice of logging out or going to the redirect page/dashboard." lev0 Tickets Awaiting Review 60748 auth_redirect() login check doesn't exist or doesn't work Login and Registration normal normal Awaiting Review defect (bug) new 2024-03-11T13:11:38Z 2024-03-11T13:33:04Z "The `auth_redirect()` documentation states: ""Checks if a user is logged in, if not it redirects them to the login page."" [https://developer.wordpress.org/reference/functions/auth_redirect/] However, unless a call to `auth_redirect()` is wrapped inside a `is_user_logged_in()` check, then it always sends people to the login page (even if a user is already logged in). I don't know if the documentation is incorrect or if there is a bug in the code. To reproduce, all you need to do is something like this: {{{#!php <?php add_action( 'wp', function() { if ( is_page( 2 ) ) { auth_redirect(); } } ); }}} " kratosgemini Tickets Awaiting Review 42377 "login screen empty fields msgs are not in sync with the ""Username or Email Address"" field label" Login and Registration 4.8.2 normal normal Awaiting Review defect (bug) new 2017-10-30T08:59:29Z 2017-10-30T08:59:29Z "(My first trac bug report everrrrr ...) Recently the ""Username"" field label on the login screen (and other places) changed to ""Username or Email Address"" and users can now be authenticated using either a username or an email address. Authentication by username is default implemented by means of a callback (wp_authenticate_username_password) hooked to the authenticate filter. Authentication by email address is default implemented by means of an additional callback (wp_authenticate_email_password) hooked to the authenticate filter. Implementation seems to be a bit sloppy and it doesn't provide much flexibility. This bug report will concentrate on flexibility in the empty field error msgs displayed when the ""Username or Email Address"" field is left empty (while providing input for the ""Password"" field). Below I'll describe 3 login situations and the resulting (mostly incorrect) error msgs followed by what I think are the correct error msgs. Note that the ""Username or Email Address"" field is intentionally left unchanged for convenience. This bug report is not about changing the field label as displayed in the login screen. WordPress core as is provides enough flexibility to do that. So here we go. 1. Both default authentication methods are hooked to the authenticate filter. On submitting an empty ""Username or Email Address"" field while providing a password the following msg is displayed: '''ERROR''': The username field is empty. (<== wrong) '''ERROR''': The '''Username or Email Address''' field is empty. 2. Only the wp_authenticate_username_password method is hooked to the authenticate filter. On submitting an empty ""Username or Email Address"" field while providing a password the following msg is displayed: '''ERROR''': The username field is empty. (<== actually correct) '''ERROR''': The '''Username''' field is empty. 3. Only the wp_authenticate_email_password method is hooked to the authenticate filter. On submitting an empty ""Username or Email Address"" field while providing a password the following msg is displayed: '''ERROR''': The email field is empty. (<== wrong) '''ERROR''': The '''Email Address''' field is empty. Since I prefer an error msg where the field label name stands out I've capitalized the field name as well as displayed them in bold. Also helps in reading the error msgs and see the differences. As can be seen we have an issue here. We can't always seem to get the proper field label reference in the empty field error msgs when submitting an empty ""Username or Email Address"" field. There must be a way for the methods to refer to their own field label part (Username/Email Address) when individually hooked to the authenticate filter but when both are hooked at the same time refer to the combined field label (Username or Email Address) in the error msg. I think the program logic needs to be changed so all three situations return the correct empty field error msg on login screen submit." nlpro Tickets Awaiting Review 53728 no re: definition towards the cloud-friendly environment Login and Registration normal minor Awaiting Review defect (bug) new 2021-07-21T21:20:28Z 2021-12-14T23:58:25Z "hi no re: definition towards the cloud-friendly environment eg. cognito integration miniorange sso is solving the purposes but they basically push the same code with a separate name. another problem is if ec2 instance hold a custom role no other software vendor able to detect the ec2 instances' role. they just keep asking for API key and access token even ec2 is in the same role. note:- if you go to IAM -> create a custom role with some set of role -> assign same role in ec2 none plugin creator detects ec2 role they just keep asking for API access token of IAM. thx sayantan " cadentic2018 Tickets Awaiting Review 40249 period as last character in username breaks activation link Login and Registration 4.7.3 normal normal Awaiting Review defect (bug) new 2017-03-24T10:38:43Z 2017-03-24T10:40:31Z "Many browsers and mail clients are converting text-URLs to clickable links. If a user chooses an username with a period at the end, the activation link in the mail could be incorrect, because the mail client thinks, the period is a punctuation character. See this (non-working) URL for an example: https://www.domain.de/wp-login.php?action=rp&key=XXXXXX&user=ballspieler96. The period at the end is part of the username but not part of the URL. Fix: Don't use the username as last parameter. Instead use a defined parameter, which won't have periods as value (i.e. 2action"" or ""key"")" ilikewordpress Tickets Awaiting Review 44960 wp-login.php does not allow redirecting 'read' capability (Subscriber) to Dashboard instead of Profile upon login Login and Registration normal normal Awaiting Review defect (bug) new 2018-09-18T15:34:01Z 2018-09-18T15:34:01Z "Re: https://github.com/WordPress/WordPress/blob/4.9.8/wp-login.php#L965 I understand checking if $redirect_to is empty, but why specifically intercept users without 'edit_posts' capability that do have 'read' capability? Here's some code that I am using to override this: https://gist.github.com/cliffordp/35d74c3bceec9fbd10547b5d1ba988e5 I'm hoping this snippet will not be needed in the future. Thank you." cliffpaulick Tickets Awaiting Review 40595 wp_authenticate_username_password() should respect WP_Error object generated by higher priorities Login and Registration 4.7.4 normal normal Awaiting Review defect (bug) new 2017-04-28T13:46:54Z 2017-04-28T13:59:39Z "If I've read through #19714 but believe this issue should be reopened. This issue affects anyone who needs to alter the normal authentication process by hooking into the authenticate filter at a high priority. Functions in the process flow should respect a WP_Error object if that is what it is handed, including wp_authenticate_username_password(). '''Expected Behavior''' function hooks ''authenticate'' filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. Authentication should fail and error message displayed to user. '''Current Behavior''' Function hooks ''authenticate'' filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. wp_authenticate_username_password() ignores WP_Error object, attempts authentication and returns its own error message, or goes ahead and authenticates the user. Functions could assign a priority less than 20 (i.e. 30), but then when will be required to decipher error codes and/or the user object to then determine if authentication should continue, '''after''' an authentication attempt has already been processed by wp_authenticate_username_password(), even if no authentication should have been attempted. In additon, if wp_authenticate_username_password() is not going to respect WP_Errors from higher priorities, why not assign it a priority of 1 and make it the very first item in the authentication process? " gilzow Tickets Awaiting Review 47170 wp_sensitive_page_meta breaks login on iPad devices Login and Registration 5.0 normal major Awaiting Review defect (bug) new 2019-05-07T16:28:57Z 2019-05-17T10:58:38Z "iPad Safari will throw a {{{ Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'. }}} on wp-login.php page because it does not understand strict-origin-when-cross-origin value for the referer policy. This effectively breaks the login completely at least on nginx sites. Present starting with 4.9.10 (5.0.0 if chronologically)." madhazelnut Tickets Awaiting Review 54716 """Remember me"" label changed to ""Keep me logged in""" Login and Registration 2.0 normal trivial Awaiting Review enhancement new 2021-12-31T22:36:46Z 2022-02-20T22:29:05Z "I think the label ""Remember me"" to be misleading. The default ""Remember Me"" checkbox behaviour is: >If checked your browser keeps you logged in for 14 days. >If unchecked you're logged out when you quit the browser, or after two days. The checkbox function is not to remember the user identity, but to keep the authentication valid. The task of remembering the user credentials is on the browser. I think that ""Keep me logged in"" would be clearer and more consistent with other services around the internet. ""Keep me logged in on this computer"" is even more accurate. There are variation on the wording, like [Keep me|Stay][logged in|signed in]. Twenty years ago I would just have suggested to add a tooltip (title) with an explanation, but it has already been established in #24766 that title attributes are to be phased out. Amazon uses a full blown popup to explain the function of the checkbox. [[Image(amazon-signin.png)]] Although a totally minor issue I would like to have a discussion about this. " Cyberchicken Tickets Awaiting Review 49328 Add filter/action to append link to the login form footer inside the #login container Login and Registration normal trivial Awaiting Review enhancement new 2020-01-30T09:40:26Z 2020-01-30T22:07:05Z "At the moment, when using login_footer action, you can add the HTML at the bottom of login page. I think it can be useful to be able also to add some message or custom links to the #nav or #backtoblog area of the login form. At the moment, the only way is to use the hack described [here](https://wordpress.stackexchange.com/questions/99251/how-do-you-add-a-custom-link-to-the-wordpress-login-page) and it doesn't work for not English pages." oksanaromaniv Tickets Awaiting Review 43080 Allow access to triggered WP_Error when using login_errors and login_messages filters Login and Registration 4.9.1 normal normal Awaiting Review enhancement new 2018-01-12T21:39:59Z 2020-10-13T03:28:56Z "Hi, There are currently 2 filters login_errors et login_messages but everything is string. As a consequence this is translated. I would be nice to add $wp_error (WP_Error) in these filters to make it even more customizable. " anonymized_10765487 Tickets Awaiting Review 44517 Allow specifying the WordPress username to be filled in on the login form via a URL parameter. Login and Registration normal normal Awaiting Review enhancement new 2018-07-05T03:36:04Z 2019-01-16T06:50:09Z "Hi All, I have a usecase for WordPress that requires me to allow specifying the username that will be logged into for WordPress via a URL parameter. Essentially, a WordPress plugin allows creating a new username, only if a valid email has been sent. As part of the authentication flow, I want to be able to specify what the username was on the URL so that the user can just click the link that is sent to them via email, requiring only that their password be entered. I have provided a patch. Please let me know if there are any changes that should be made. Thanks!" datatim Tickets Awaiting Review 39929 "Improve ability to customize ""nav"" links below login form." Login and Registration 4.8 normal normal Awaiting Review enhancement new 2017-02-21T19:07:00Z 2017-02-21T19:11:52Z "In adding a Single Sign-On option to a site, I ran into trouble while trying to add a link to the login form. Flexibility could be introduced by adding an action inside each `p.nav` in `wp-login.php`, but there's already duplicated code. So, I've added a function that builds the output and allows plugins to add new links or change the existing links. Thanks for considering my request." dcavins Tickets Awaiting Review 38336 Login: Add new action hooks to the top of login type forms Login and Registration 4.6.1 normal normal Awaiting Review enhancement new 2016-10-17T20:11:14Z 2021-07-20T16:26:30Z "Currently there are action hooks that fire in the login forms after the fields have been loaded into the form. This allows new fields, new text, additional verification fields such as CAPTCHA, etc to be added after the username/email/password fields. However, currently there is not an easy way to add new fields to the top of the forms before the username/email/password fields without building a custom form. In my use case I require an Account/Membership number to be provided in addition to the email/username, which internally allows the same email address to be used with multiple accounts. The only place to add this new field without building a custom form is to add the field after the password field. The current field sequence on the form appears as email, password, account number. Since the account number field is more significant, it would be better to read the field sequence as: account number, email, password. In wp-login.php the login forms have the following action hooks: in form name=""loginform"" `do_action( 'login_form' );` in form name=""lostpasswordform"" `do_action( 'lostpassword_form' );` in form name=""registerform"" `do_action( 'register_form' );` in form name=""resetpassform"" `do_action( 'resetpass_form', $user );` I am requesting new additional action hooks to be created and placed at the top of each of the forms before any fields are defined. For example, in `form name=""registerform""` a new action hook such as `do_action( 'login_form_top' )` to appear directly after the form html line as follows: {{{ <form name=""loginform"" id=""loginform"" action=""<?php echo esc_url( site_url( 'wp-login.php', 'login_post' ) ); ?>"" method=""post""> <?php /** * Fires before the fields are added in the login form. * * @since ?????? */ do_action( 'login_form_top' ); // <=== new action hook ?> <p> <label for=""user_login""><?php _e('Username or Email') ?><br /> <input type=""text"" name=""log"" id=""user_login""<?php echo $aria_describedby_error; ?> class=""input"" value=""<?php echo esc_attr( $user_login ); ?>"" size=""20"" /></label> </p> ... }}} The other forms (lostpasswordform, registerform and resetpassform) would be updated with similar action hooks at the top of each form." pagewidth Tickets Awaiting Review 58310 Move the login forms into functions and add them in place with a hook to allow them to be replaced Login and Registration normal normal Awaiting Review enhancement new 2023-05-14T17:39:20Z 2023-05-14T17:39:20Z "There are different ways to replace forms, one is the redirect to different page(s), another is to add it to the `login_form_{$action}` action add to add other things like `login_footer()` after and then exit. It will be much more flexible and convenient to filter the forms output instead of replicating things. It would be even better to add two hooks — the first to change the form function, and the second to filter HTML, if nesessary. But perhaps this is too much. For reference, the wp-login.php file has 6 forms: - language switcher - admin email confirmation - lost password - password reset - register - login" oglekler Tickets Awaiting Review 57811 Should application password be usable for logins Login and Registration 5.6 normal normal Awaiting Review enhancement new 2023-02-26T13:59:44Z 2023-03-06T17:33:01Z "WordPress has, since version 5.6, bundled the ability to generate Application Passwords. These have been usable as HTTP Basic Auth tokens for REST API requests, but that is the extent of their use within core. In traditional use-cases, an Application Password is a specific token, used by one or more applications, to sign in and bypass the needs for other account security, such as for example two-factor authentication. I'm not sure how SVN interacts with user accounts, but in ''theory'' would this allow for application passwords for things such as commits to plugins/themes/core? It would also allow older integrations, like the ones relying on XMLRPC still, to continue working without additional plugins out of the box. I'd like to open the discussion if WordPress should perhaps also allow their use for this case? It is of course possible for a plugin to implement this already, but given how different WordPress is currently treating Application Passwords from what other services do, it seems like a valuable discussion to cover :)" Clorith Tickets Awaiting Review 42053 There should be an option to make wp_login_form() functions's username and password input field required. Login and Registration 4.9 normal normal Awaiting Review enhancement reopened 2017-10-01T11:47:32Z 2019-04-24T22:03:20Z There should be options to make the `username` and `password` filed required if necessary or if any developer wants to make it `required` by HTML in `wp_login_form()` function inside `src/wp-includes/general-template.php` file through `$args` argument. rnaby Tickets Awaiting Review 40705 Unable to login to admin backend from a wordpress login modal window Login and Registration 4.7.3 normal normal Awaiting Review enhancement new 2017-05-09T19:48:11Z 2017-05-09T21:15:38Z "Hello, I am unable to login to WordPress backend from the login modal. Always get 'ERROR: The password field is empty.' error but if I login through this link https://yourwebsite.com/wp-admin/ or https://yourwebsite.com/wp-login.php it works. I believe the modal login should work irrespective of where you are? Have experienced this on more than five sites. See the attached screenshot. http://prnt.sc/f5xwb8 Thanks" dickensayieko Tickets Awaiting Review 52390 Use specific page for postpass Login and Registration normal normal Awaiting Review enhancement new 2021-01-28T17:49:55Z 2021-01-28T17:49:55Z "Currently postpass uses wp-login.php which causes 3 problems: 1) If you want to monitor/rate/investigate logins to the site, this is mixed with postpass submissions. 2) if you want to limit access to wp-login through the webserver, this affects postpass 3) even if allow ?action=postpass to be widely accessible, ""action"" can be overriden via POST to login / reset passwords etc. Since postpass is not a real website login and may be used by non-members of the site, i suggest that postpass gets its own page like /postpass.php where only postpass requests can be done." briandd Tickets Awaiting Review 48899 Verification admin email again after just changed/updated email? Login and Registration 5.3 normal normal Awaiting Review enhancement new 2019-12-06T08:03:07Z 2019-12-06T14:21:41Z "Show the admin email varification after logged in, user is want to change the admin email. 1. Logged in. 2. Show the **verification admin email**. 3. Click the ""Update"". 4. Change the admin email on admin options setting screen. 5. Get the confimation email. 6. Update the admin email. 7. Logged out. 8. Logged in. 9. **Verification admin email again**. I think add the admin email check internal when just update admin email." gqevu6bsiz Tickets Awaiting Review 43957 check_password_reset_key could use get_user_by instead of direct query Login and Registration 4.9.5 normal normal Awaiting Review enhancement new 2018-05-04T09:58:07Z 2018-05-04T12:14:13Z "Hi Just noticed, that {{{check_password_reset_key}}} is one of only a few functions making a direct query to the users table. Wouldn't it be more consistent to use the {{{get_user_by}}} function here. I came across this because I am replacing the {{{get_user_by}}} function with my own. Not being able to hook into the user retrieval in {{{check_password_reset_key}}} forces me to take a rather hackish approach by using the 'query' filter. I cannot see any advantages of making a direct query aside from bypassing the object cache. Maybe there is a security concern that I am not aware of? " thomaslhotta Tickets Awaiting Review 57540 make WordPress password management more “understandable”? Login and Registration 6.1.1 normal normal Awaiting Review enhancement new 2023-01-24T11:04:58Z 2024-02-15T17:47:46Z "Hey there 👋 I’m not sure I’m in the right place to suggest something but here I go: Are there plans to make WordPress password management more “understandable”? Let me explain : when my users need to change their password (after a lost password or an expiration), the “Save password” is confusing, most forget to copy/paste this password somewhere and understand that the password has been saved. https://markuphero.com/share/N8RP1UaE0rIYXih6TxiI If in addition the user is used to having his browser save his passwords, the confusion is even greater: the user clicks on “Save password”, returns to the login page, the browser automatically fills in the fields (with the old password) and obviously… login failure! I use cPanel and just had to create a new database, I find the user experience more explicit: I have a “Password generator” button and then a mandatory checkbox “I have copied this password in a safe place.” then finally a “Use password”. What do you think ? Am I the only one who thinks these steps deserve a better UX? 😬 " ludovicsclain Tickets Awaiting Review 30274 "wp-login.php Logo Image Use ""img"" tag rather than CSS background" Login and Registration 4.0 normal normal Awaiting Review enhancement reopened 2014-11-06T14:49:32Z 2017-02-19T17:53:28Z "The fact that the logo image that displays on www.website.com/wp-login.php is a background image rather than an ""img src"" html tag often makes it problematic, because support for resizing CSS backgrounds is more complicated than using ""img src"" tags. For example, it seems like every time I use a plugin or try to alter the logo image on wp-login.php it in some way, it takes some combination of the perfect image size and css hacks to make it responsive. Conversely, if it was an ""img"" tag, I could just apply ""width:100%; height:auto;"" or something like that. So, in conclusion, I propose switching from a background image to an ""img src"" html tag. [[Image(http://i.imgur.com/C5qwZtq.png)]]" themightymo Tickets Awaiting Review 41170 Allow the newbloguser screen to be themed Login and Registration 3.0 normal normal Awaiting Review feature request new 2017-06-25T19:59:04Z 2017-06-26T07:58:12Z "The appearance of the `newbloguser` screen is not themeable. It should be. Related: #37921" johnbillion Tickets Awaiting Review 39985 Do action before send email of retrieve password Login and Registration 4.7.2 normal normal Awaiting Review feature request new 2017-02-28T14:01:07Z 2017-03-08T02:49:10Z "Add do_action before sending email to recover password. Inspiration: I needed to integrate an SMS sending to recover password, where I had to use retrieve_password_message filter hook to get the user's phone number. https://github.com/WordPress/WordPress/pull/275" bonus369 Tickets Needing Feedback 50684 Font/font-size change on login screen Login and Registration normal normal Future Release defect (bug) new 2020-07-16T19:29:59Z 2023-08-19T09:45:51Z "On Windows 10, when a user logs in, the font and the font-size in the input boxes change. To be more precise, the wrong font and font-size is initially displayed. Only after clicking, the correct font and font-size appear. A recording: [[Image(https://i.imgur.com/siMssM6.gif)]] " superpoincare Unpatched Bugs 34236 Better passwords - differences between setting and resetting password? Login and Registration 4.3 normal normal defect (bug) new 2015-10-09T18:48:08Z 2021-02-23T06:07:14Z "1) When user registers on a site, there is notification email ""Your username and password info"" which contains 2 URL addresses: `<http://localhost/wp-login.php?action=rp&key=iJy9s6jdmcpNwM27iyWc&login=test>` `http://localhost/wp-login.php` Why is there the second URL? Nothing can be done here, only antispam filters can ban this email... 2) When user clicks the first link, new password can be set: ""Enter your new password below."" But why has button text ""Reset Password""? User is not resetting password, but only setting first (new) password. And after submitting, there is text ""Your password has been reset."" 3) Site admin receives 2 notification emails (for one registration): - ""New User Registration"": New user registration on your site... (same in pre 4.3) - ""Password Lost/Changed"": Password Lost and Changed for user... So, every site admin receive another notification email with not relevant info, because password was not lost and changed, but created for the first time. For sites with many users, it is surprising and not needed... When user changes its password on Profile page, site admin also does not receive any notification. As I understand it, there is no difference when user set first password or reset lost password? It can be confusing for some users... 4) When site admin adds a new user, custom password can be set. But newly added user does not know about it? User received only standard ""Your username and password"" email with link to creation of new password: To set your password, visit the following address... I am not sure, if I understand workflow completely, but it seems to me a little bit confusing..." pavelevap Unpatched Bugs 31830 Hard coded wp-login.php url in string Login and Registration 3.0 normal normal Future Release defect (bug) reopened 2015-04-01T06:53:58Z 2023-09-18T20:38:16Z "Hi. I noticed that in [https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-functions.php?rev=32064#L1446 wp-includes/ms-functions.php] (`wpmu_welcome_notification`) the login url is hardcoded (wp-login.php) into the string. This will create a problem if a multisite developer has chosen to change the login page url (for security reasons). Thanks in advance Lena" lenasterg Unpatched Bugs 27086 Make auth-check logins work with 1Password Login and Registration normal normal defect (bug) new 2014-02-10T15:51:22Z 2019-06-04T20:06:45Z "After some conversation on Twitter, I've been testing 1Password's browser extensions against WordPress. It works fine when logging in normally, but when you get logged out and need to log in from an iframe, it fails pretty hard. Specifically, 1Password decides to fill *every* text input — even those that are hidden, that have content, or that aren't in the same form — with the login name. This is despite the web form fields being configured, present, and matching up perfectly. (By hidden I'm referring to type=""text"" that is visually hidden, not type=""hidden"".) Basic steps to trigger the issue: * Have a login saved from wp-login.php (making sure that your web form details are for ""log"", ""pwd"" and optionally ""rememberme""). * Edit a post. * Hit the 1Password global shortcut, ⌘\. It will fill in every text input, including the title, the tags meta box input, the slug meta box input, etc. It's a mess. Steps to reproduce with a real login form: * Have a login saved from wp-login.php, etc. * Edit a post. * Delete your login cookies. Wait three minutes, or speed things up by calling `wp.heartbeat.connectNow()` in your console. * An iframe should pop up (assuming you're not cross-domain, at least). Log in using ⌘\. * It'll log into the iframe and submit it, which closes it. * Note that the title field and all other text fields. Steps to reproduce to comedic results: * Have a login saved from wp-login.php, etc. * Visit Settings > General. * Delete your login cookies. Wait three minutes, or speed things up by calling `wp.heartbeat.connectNow()` in your console. * An iframe should pop up (assuming you're not cross-domain, at least). Log in using ⌘\. * It'll log into the iframe and submit it, which closes it. * Note that every single settings field is filled with your login. Here's a dead-simple HTML page to try that involves two different forms. Doesn't matter where the focus is when ⌘\ is invoked. Doesn't matter if it's one form, multiple forms, an iframe, whether the other inputs are even wrapped by form. {{{ <!DOCTYPE html> <head> <meta charset=""utf-8"" /> </head> <body> <form> <input type=""text"" name=""log"" /> <input type=""password"" name=""pwd"" /> <input type=""submit"" /> </form> <form> <input type=""text"" name=""title"" /> <input type=""text"" name=""foo"" /> <input type=""text"" name=""bar"" /> <input type=""text"" name=""baz"" /> </form> </body> </html> }}} It seems that ""If the fields saved in a Login item don’t match the ones on the page I try to fill what I can"" ([https://twitter.com/1Password/status/432687921154371584 source]) is inaccurate. It doesn't matter whether the fields match; and ""fill what I can"" actually means ""randomly stomp on all fields"". This reminds me of #24364. Possible solutions: * Disable all other inputs when the iframe is open, and re-enable them when closed. (Need to be careful to not re-enable previously disabled fields.) * Convince 1Password to release a fix for this. They happen to be WordPress users themselves, so it's not out of the question. There are numerous options here, as well — not filling in outside of an iframe is probably pretty safe, especially when fields also match 1:1. But one question would be how quickly they'd make a fix. I'd tend to think we'd be able to release 3.9 first. I filed an unrelated report of a simple, annoying, and straightforward bug about two months ago; their last bug fix release was about a month ago." nacin Unpatched Bugs 31076 Multisite signup functions don't support SSL Login and Registration normal normal defect (bug) new 2015-01-20T16:21:57Z 2019-06-04T20:10:42Z [source:tags/4.1/src/wp-signup.php#L612 confirm_blog_signup()], [source:tags/4.1/src/wp-signup.php#L361 confirm_another_blog_signup()], and [source:tags/4.1/src/wp-includes/ms-functions.php#L768 wpmu_signup_blog_notification()] use hardcoded `http://` links. SergeyBiryukov Unpatched Bugs 52721 No way to filter value of $credentials['remember'] in wp_signon Login and Registration 1.5.1 normal normal Future Release defect (bug) new 2021-03-05T11:44:54Z 2021-06-02T04:45:02Z "There are famous plugins out there using wp_signon and providing $credentials, so essentially $_POST values are completely ignored. Meanwhile, $credentials lacks of 'remember' value in these plugins, so for the wp_signon function means 'remember = false'. If you want to force that remember = 1, there's only the wp_authenticate filter available which: 1. is maybe deprecated? 2. does not pass the remember value So, basically, there is no way to filter the remember value, when the wp_signon function is not properly called by someone." mirkolofio Unpatched Bugs 34697 Password (re)set form fails when addressed as /wp-login.php/ Login and Registration 4.3.1 normal normal defect (bug) new 2015-11-16T02:47:09Z 2019-06-04T20:18:00Z "`setcookie` in resetpass uses `$rp_path` to set the path for the cookie, but does not use the same `$rp_path` when setting up the form action in HTML. This means that the cookie can be set to a path where it will not be submitted by the browser on post and thus the form will fail. Easily reproducable by adding changing the reset password link from `/wp-login.php?...` to `/wp-login.php/?...` For some reason Firefox works (submits cookie), but Chrome and IE fail (don't submit cookie)." friedcell Unpatched Bugs 33785 cannot login when someone got similar login but with polish special chars Login and Registration 4.3 normal normal defect (bug) new 2015-09-09T07:04:55Z 2019-06-04T20:16:04Z "hello i see issue that.. i have user with login Mały and user with login maly both got nicename maly cannot login to Mały after i changed in database login to szudarski started working properly also cannot then use login with email with additional plugin. greetings Pawel " nook86 Unpatched Bugs 23197 wp-activate.php, without explanation, does not load site plugins Login and Registration 3.0 normal normal Future Release defect (bug) reopened 2013-01-14T12:54:26Z 2022-06-14T01:36:09Z "I am the developer of a Wordpress plugin that modifies the Registration process. I am porting my code to Wordpress Multisite and am running into an odd obstacle. During the signup process, I store meta data in the signups table. I intend to restore that data after the user has activated their account using hooks located in wp-activate.php. I learned the hard way that wp-activate is altering the load sequence with the following flag. define( 'WP_INSTALLING', true ); The preceding comment says ""Define ABSPATH as this file's directory"", which to me does not entirely jive up. Regardless, with this flag in place, when Wordpress would normally determine what plugins to load in wp_get_active_and_valid_plugins, instead it returns an empty array. I do not believe this is the desired behavior. My solution has to been to create a small ""must-use"" plugin simply for my activation related code. This however, is not a desirable solution since must-use plugins must be manually installed. I cannot determine much of an alternate solution; I cannot modify that flag in a plugin at any level since my plugin would never be loaded for it to get a chance to modify the flag. It is a bit of a chicken and the egg problem." radiok Unpatched Bugs 23637 wp-signup.php has overly aggressive CSS Login and Registration 3.0 normal normal Future Release defect (bug) new 2013-02-27T14:33:46Z 2020-03-04T06:25:13Z The CSS added through wp_head by wp-signup.php stops Multisite form fields from being styled through inheritance. Allowing inheritance will result in more consistent styling with the active theme (for example, field font-size). kwight Unpatched Enhancements 51786 Accessibility issue with the logo on the login page Login and Registration normal normal Future Release enhancement new 2020-11-16T13:36:38Z 2020-12-11T08:27:46Z "Currently, the login page (wp-login.php) contains a logo, that is created using the following HTML markup: {{{ <h1><a href=""https://wordpress.org/"">Powered by WordPress</a></h1> }}} Both the href URL and the link text can be filtered. Through CSS, the link text is placed off-screen, and a logo is added to the link as a background. The <h1> is required for proper a11y, but it should contain the title for the page below. Something like ""Log in"" would probably be ideal. Instead, it currently contains a link that takes the user off the page, with no description of the login page's content. This is causing serious issues for client who are required to conform to WCAG standards, as required by European law. I'd like to suggested removing the <h1> from around the logo link, and adding an actual <h1> title to the white box below, with relevant textual content." roytanck Unpatched Enhancements 15706 Allow wildcarded domains in multisite limited email domains westi Login and Registration normal normal enhancement reviewing 2010-12-06T18:59:24Z 2019-06-04T20:02:25Z "Here at blogs.law.harvard.edu, we want to allow all harvard.edu subdomains to create blogs in our multisite install. There are hundreds of domains and it would be difficult to get a complete list because of the complexity of our DNS infrastructure. I propose allowing the inclusion of a single prefix wildcard character in the limited email domains feature. If a limited email domain contains a ""*"", we would create a regex and match that specific entry via a wildcard. So ""*.harvard.edu"" would match ""cyber.law.harvard.edu"", ""fas.harvard.edu"", etc. To match the root TLD, you'd just manually enter ""harvard.edu"". We have a variant of this applied as a core hack to our wordpress install at http://blogs.law.harvard.edu and it's been working fine for years. I will package it up as a patch if there's interest. Thoughts? I don't think it'd make sense to allow embedded wildcards (dom*ain.org)." djcp Unpatched Enhancements 17948 Enhancements to the login and registration forms wpdavis Login and Registration 3.2 normal normal Future Release enhancement new 2011-06-30T16:25:01Z 2017-10-06T16:23:13Z "I would like to propose a significant overhaul of the registration and login forms for 3.2, which I'd be happy to take on. A few things that I think would be helpful: Combine registration processes for multisite and single-user into one form on one page. Allow the registration and login to be templatized — no reason this should be for MS only. Standardize filters, actions and variables between MS and single-user when at all possible. A few related tickets: #17904 #17306 #17085 #16866 #16411 #17630" wpdavis Unpatched Enhancements 56224 Hardcoded wp-login.php vs login_url filter? Login and Registration normal normal Future Release enhancement new 2022-07-15T08:42:35Z 2023-09-18T20:51:29Z "The login_url filter allows changing allows changing the login URL. However there are a few places, where wp-login.php is hardcoded. Is the filter safe to use to modify the login url? Should (can?) those hardcoded wp-login.php in core be changed?" malthert Unpatched Enhancements 33307 Lack of any hooks for user registration in case of multisite installation AND BuddyPress Login and Registration 4.3 normal normal enhancement new 2015-08-07T22:02:22Z 2019-06-04T20:15:25Z "Hi there, Recently i get quite a few strange registrations so i wanted to implement a captcha to the registration form. I have WP multisite and BP 2.3.2 installed. One of my sites has no BuddyPress and just a normal registration, for this one it was really easy to get what i wanted: with ""signup_extra_fields"" hook i display the captcha and with ""add_signup_meta"" hook i can validate the captcha before any data is saved to the database. But when BP is enabled on a multisite installation, there is simply no hook defined in wpmu_signup_user function found in ms-functions.php. That way it seems to be impossible to validate the the captcha with add_filter before the user is saved WP's ""signup"" table. This way one can not protect against spam registrations. Please consider adding a proper hook in WP 4.3. It is just a short line of code and can not break anything but that way the signup process would become controllable without modification of a core function." summoner Unpatched Enhancements 25192 Leverage signup_id when working with $wpdb->signups Login and Registration normal normal enhancement new 2013-08-30T14:32:59Z 2019-06-04T20:06:00Z Followup to #15004 — we should leverage the new primary key where possible, when working with $wpdb->signups. nacin Unpatched Enhancements 32401 Multi step authentication - adding hooks to wp-login.php Login and Registration 4.2.2 normal normal enhancement new 2015-05-14T18:14:20Z 2019-06-04T20:13:47Z "At the moment it's very difficult to add extra steps to wp-login.php. There are several situations where a second step is necessary: * There are TOTP plugins hosted on WordPress.org but they all assume every user will use 2FA and so show the field for the TOTP token in the login form. That's not appropriate for the situation where some users will have it enabled and some won't. * If you send a token to a user via SMS then you need a second step in the form after the user has typed their username/password. * If you use a captcha that doesn't target every user (i.e. it may be based on how many failed attempts there have been in the past hour for each account) that needs a second step too. The whole process of adding a second step to the login process is very hacky and involves copying lots of code from wp-login.php (which as I think we all know leads to very fragile plugins). Note that this ticket is not proposing including any kind of 2FA into WordPress core. This ticket is only about adding hooks to wp-login.php to make it much easier for people writing 2FA (and other authentication-related) plugins." tomdxw Unpatched Enhancements 18743 Persistent redirect_to For Login, Registration, and Lost Password Login and Registration 3.3 normal normal enhancement new 2011-09-22T07:04:39Z 2019-06-04T20:02:54Z "Currently, if redirect_to is passed in to the login screen and then a user clicks Register or Lost Password, the redirect_to gets lost. I think that the redirect_to should be persistent and honored whether the user logs in, registers or gets a lost password. I've written a hacky filter to do this, but I think this ought to be included in the core. Here's what I did: {{{ //Keep redirect_to in URL add_filter('site_url', 'foxyshop_add_registration_redirect', 5); function foxyshop_add_registration_redirect($path) { if ((strpos($path, ""action=register"") !== false || strpos($path, ""action=lostpassword"") !== false) && isset($_REQUEST['redirect_to'])) return $path . '&redirect_to='.urlencode($_REQUEST['redirect_to']); if (substr($path, strlen($path)-12) == ""wp-login.php"" && isset($_REQUEST['redirect_to'])) return $path . '?redirect_to='.urlencode($_REQUEST['redirect_to']); return $path; } }}} (I know 3.3 is in freeze now, but there wasn't another version option)" sparkweb Unpatched Enhancements 21352 wp_lostpassword_url() on multisite Login and Registration 3.3 normal normal Future Release enhancement new 2012-07-23T15:58:23Z 2021-10-20T15:03:43Z "The wp_lostpassword_url() function on Multisite outputs the link to the primary domain not the current domain. Although it works its not what should be expected if a user is registered to use blog ID 2 but not Blog ID 1. The lost password email generated also links back to the primary domain not the current domain. " philly max Unpatched Enhancements 48345 Add Caps lock message to login screen Login and Registration normal normal Future Release feature request new 2019-10-17T12:05:10Z 2023-05-23T07:36:58Z "Users are often experiencing issues logging in which is a result of them having CAPS LOCK on, without them realising. Many wireless keyboards too don't have a light on them, which makes noticing this even trickier. There are a number of plugins available that will flag to the user when the CAPS LOCK is on (a message rather than a warning as it may be intentional!) but it would make sense for this to be added into core (possibly alongside other request improvements, such as the ability to display the typed password). Apologies if this is already a ticket - I did look but my search-fu on Trac isn't great." dartiss