#58410 closed enhancement (wontfix)
global disable login and password reset / recovery
Reported by: | cederom | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description
Hello world :-)
Would it be possible to completely disable User Login and Password Reset / Recovery functionality from the Options screen? I just want site to return 403/404 with no further processing.
I have really lots of automated bruteforce attacks that try to leverage login and/or use password recovery forms.
I have other ways to manage such page (i.e. ssh wp), so in that case disabling login and password reset seems most sensible and efficient solution.
At this point these functions can be be disabled using .htaccess and manual php modification that impacts platform consistency.
Please consider adding option to disable Login and Password Reset forms.
Thanks :-)
Tomek
Change History (3)
#2
@
18 months ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
- Version 6.2.2 deleted
Hi @cederom and welcome to trac!
I don't think adding such an option would be a good idea for a couple of reasons:
- if set incorrectly, administrators may lock themselves out of their site if they don't have WP CLI access
- it's additional code to maintain for a minority of sites
As Jeff suggests in the comment above, this seems best served by a plugin in your case. You can lock these screens down using the login_form_lostpassword
, login_form_retrievepassword
, and allow_password_reset
hooks.
I'm going to close this off as unplanned as it's currently achievable via existing hooks.
#3
@
18 months ago
Okay, I will try the plugin.. or better modify the hooks myself by hand.. for some reason these attacks seems to bruteforce something (there are tens or even hundreds each day) or targeting plugins bugs.
The safest choice would be to have core option to disable these functionalities without compromising installation integrity with manual modifications that also may be detected as malicious (not to mention possible auto-update interference).
At this time only maintenance mode seems reasonable solution and putting whole site down. I think this option would come handy in corner cases for aware users (even if available only via mysql table edit).
Thank you for your time and response.
@cederom that seems like something that I'd expect a plugin to help handle; have you searched for existing plugins to see if something will help you on this?