Make WordPress Core

Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#58410 closed enhancement (wontfix)

global disable login and password reset / recovery

Reported by: cederom's profile cederom Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

Hello world :-)

Would it be possible to completely disable User Login and Password Reset / Recovery functionality from the Options screen? I just want site to return 403/404 with no further processing.

I have really lots of automated bruteforce attacks that try to leverage login and/or use password recovery forms.

I have other ways to manage such page (i.e. ssh wp), so in that case disabling login and password reset seems most sensible and efficient solution.

At this point these functions can be be disabled using .htaccess and manual php modification that impacts platform consistency.

Please consider adding option to disable Login and Password Reset forms.

Thanks :-)
Tomek

Change History (3)

#1 @JeffPaul
11 months ago

  • Severity changed from major to normal

@cederom that seems like something that I'd expect a plugin to help handle; have you searched for existing plugins to see if something will help you on this?

#2 @peterwilsoncc
11 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
  • Version 6.2.2 deleted

Hi @cederom and welcome to trac!

I don't think adding such an option would be a good idea for a couple of reasons:

  • if set incorrectly, administrators may lock themselves out of their site if they don't have WP CLI access
  • it's additional code to maintain for a minority of sites

As Jeff suggests in the comment above, this seems best served by a plugin in your case. You can lock these screens down using the login_form_lostpassword, login_form_retrievepassword, and allow_password_reset hooks.

I'm going to close this off as unplanned as it's currently achievable via existing hooks.

#3 @cederom
11 months ago

Okay, I will try the plugin.. or better modify the hooks myself by hand.. for some reason these attacks seems to bruteforce something (there are tens or even hundreds each day) or targeting plugins bugs.

The safest choice would be to have core option to disable these functionalities without compromising installation integrity with manual modifications that also may be detected as malicious (not to mention possible auto-update interference).

At this time only maintenance mode seems reasonable solution and putting whole site down. I think this option would come handy in corner cases for aware users (even if available only via mysql table edit).

Thank you for your time and response.

Note: See TracTickets for help on using tickets.