WordPress can "leak" if a username is valid
|Reported by:||Viper007Bond||Owned by:|
When you enter a valid username but an invalid password, WordPress lets you know the username is valid by complaining that only the password is invalid.
Attached patch combines the two error messages so that if either the username or the password is wrong, it says the same error message which gives less away.
Makes it harder for a hacker to gain access to a blog.
Change History (9)
comment:2 foolswisdom — 6 years ago
- Milestone changed from 2.3.2 to 2.5
- Version changed from 2.3 to 2.3.1