WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 3 years ago

Last modified 3 years ago

#10006 closed enhancement (wontfix)

Lost Password Requests - Hardening WordPress

Reported by: neoxx Owned by: ryan
Milestone: Priority: low
Severity: minor Version: 2.8
Component: Security Keywords:
Focuses: Cc:

Description

hi,

just a security thought. - as i have a public authors list on my blog, an attacker could easily use this list to bother my users with password-reset mails.

fortunately, we have the lostpassword_post hook, thus i'm able to redirect all lost-password request, which are not based on registered e-mail addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid confusing my users, i still need to manually change the messages in wp-login.php from '*username or e-mail*' to only '*e-mail*'.

to summarize, it would be helpful to have a filter for these messages...

greetz,
berny

Change History (11)

comment:1 Denis-de-Bernardy5 years ago

  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to Future Release

You can override the login screen in its entirety in WP 2.8.

My understanding is that WP only ever sends one password reset request. I might be getting this wrong, however.

comment:2 Denis-de-Bernardy5 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

comment:3 serbanghita5 years ago

As an extra feature to this, maybe it's useful to also include in this mail the IP and User-Agent information.

comment:4 hakre4 years ago

on wishlist30 for neoxx

comment:5 hakre4 years ago

Realted: #2870

comment:6 nacin4 years ago

Related, #12682.

comment:7 neoxx3 years ago

  • Keywords reporter-feedback removed

In addition to #12682 : It would be helpful to have a bunch of filters for the messages generated in wp-login (e.g. http://core.trac.wordpress.org/attachment/ticket/15384/class-wp-login-20101222-r17107.php#L177). Right now I have to edit wp-login.php on every core update...

comment:8 coffee2code3 years ago

@neoxx: The error messages you're referring to all get translated, so you can modify them via the 'gettext' filter without hacking core files. Check out http://blog.ftwr.co.uk/archives/2010/01/02/mangling-strings-for-fun-and-profit/

comment:9 neoxx3 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

@coffee2code: Thanks for the tip, I wasn't aware of that filter.

Closing the ticket in favor of #12682.

comment:10 neoxx3 years ago

  • Keywords login security lostpassword removed

comment:11 ocean903 years ago

  • Milestone Future Release deleted
Note: See TracTickets for help on using tickets.