Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#22421 closed enhancement (duplicate)

Make more security for users by hidding existed usernames in wp-login.php

Reported by: egorpromo Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.2
Component: Users Keywords:
Focuses: Cc:


I propose don't show message “ERROR: Invalid username” in wp-login.php page when user enters incorect password. There must be more common message in wp-login.php page like: “ERROR: invalid username or password”.

Also I propose don’t create new password by entering username in /wp-login.php?action=lostpassword. For creating new password user must enter email only, not his username.

For security reason it is better do not uncover existed usernames.

Change History (2)

#1 @helenyhou
3 years ago

Related/partial duplicate: #12129

#2 @SergeyBiryukov
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.