Make WordPress Core

Opened 15 years ago

Closed 14 years ago

Last modified 14 years ago

#10006 closed enhancement (wontfix)

Lost Password Requests - Hardening WordPress

Reported by: neoxx's profile neoxx Owned by: ryan's profile ryan
Milestone: Priority: low
Severity: minor Version: 2.8
Component: Security Keywords:
Focuses: Cc:

Description

hi,

just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...

greetz,
berny

Change History (11)

#1 @Denis-de-Bernardy
15 years ago

  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to Future Release

You can override the login screen in its entirety in WP 2.8.

My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.

#2 @Denis-de-Bernardy
15 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#3 @serbanghita
15 years ago

As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.

#4 @hakre
15 years ago

on wishlist30 for neoxx

#5 @hakre
15 years ago

Realted: #2870

#6 @nacin
15 years ago

Related, #12682.

#7 @neoxx
14 years ago

  • Keywords reporter-feedback removed

In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...

#8 @coffee2code
14 years ago

@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/

#9 @neoxx
14 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

@coffee2code: Thanks for the tip, I wasn't aware of that filter.

Closing the ticket in favor of #12682.

#10 @neoxx
14 years ago

  • Keywords login security lostpassword removed

#11 @ocean90
14 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.