Make WordPress Core

Opened 13 years ago

Closed 11 years ago

Last modified 11 years ago

#10006 closed enhancement (wontfix)

Lost Password Requests - Hardening WordPress

Reported by: neoxx Owned by: ryan
Milestone: Priority: low
Severity: minor Version: 2.8
Component: Security Keywords:
Focuses: Cc:



just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...


Change History (11)

#1 @Denis-de-Bernardy
13 years ago

  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to Future Release

You can override the login screen in its entirety in WP 2.8.

My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.

#2 @Denis-de-Bernardy
12 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#3 @serbanghita
12 years ago

As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.

#4 @hakre
12 years ago

on wishlist30 for neoxx

#5 @hakre
12 years ago

Realted: #2870

#6 @nacin
12 years ago

Related, #12682.

#7 @neoxx
11 years ago

  • Keywords reporter-feedback removed

In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...

#8 @coffee2code
11 years ago

@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/

#9 @neoxx
11 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

@coffee2code: Thanks for the tip, I wasn't aware of that filter.

Closing the ticket in favor of #12682.

#10 @neoxx
11 years ago

  • Keywords login security lostpassword removed

#11 @ocean90
11 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.