#10006 closed enhancement (wontfix)
Lost Password Requests - Hardening WordPress
Reported by: | neoxx | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.8 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
hi,
just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.
fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.
to summarize, it would be helpful to have a filter for these messages...
greetz,
berny
Change History (11)
#1
@
15 years ago
- Keywords reporter-feedback added
- Milestone changed from Unassigned to Future Release
#3
@
15 years ago
As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.
#7
@
14 years ago
- Keywords reporter-feedback removed
In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...
#8
@
14 years ago
@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/
You can override the login screen in its entirety in WP 2.8.
My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.