WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 9 years ago

Last modified 9 years ago

#10006 closed enhancement (wontfix)

Lost Password Requests - Hardening WordPress

Reported by: neoxx Owned by: ryan
Milestone: Priority: low
Severity: minor Version: 2.8
Component: Security Keywords:
Focuses: Cc:
PR Number:

Description

hi,

just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...

greetz,
berny

Change History (11)

#1 @Denis-de-Bernardy
11 years ago

  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to Future Release

You can override the login screen in its entirety in WP 2.8.

My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.

#2 @Denis-de-Bernardy
10 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#3 @serbanghita
10 years ago

As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.

#4 @hakre
10 years ago

on wishlist30 for neoxx

#5 @hakre
10 years ago

Realted: #2870

#6 @nacin
10 years ago

Related, #12682.

#7 @neoxx
9 years ago

  • Keywords reporter-feedback removed

In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...

#8 @coffee2code
9 years ago

@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/

#9 @neoxx
9 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

@coffee2code: Thanks for the tip, I wasn't aware of that filter.

Closing the ticket in favor of #12682.

#10 @neoxx
9 years ago

  • Keywords login security lostpassword removed

#11 @ocean90
9 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.