Genericize WordPress Login Errors

When logging into WordPress, if you make any mistakes with your username or password, you may have noticed that the error messages WordPress provides are very specific. If you get your password wrong, you get a message that says, “The password you entered for the username Username is incorrect,” while if you get your username wrong, the message reads, “Invalid username.”

While this isn’t a huge deal, if somebody is trying to break into your site, WordPress confirms to them that they have correctly determined your username. (Usernames are revealed publicly in various places around a WordPress site, but for the security conscious, it is likely possible to prevent that, allowing you to keep your login credentials private.)

I’ve seen instructions for fixing WordPress’ login errors to not reveal too much information on a variety of sites, but all of them simply remove the whole damn error message. In other words, using their method, if you made a mistake logging in, you simply stay on the login page, with an empty alert box above the login form. That is simply unacceptable (and is very lazy on the part of whoever originally came up with that method).

A better solution is to drop the following into your custom_functions.php file. You’ll of course want to modify the strings to match whatever language your login page may be presented in!


/**
 * Genericize login error messages
 */
function brazenly_genericize_login_errors( $error ) {
	$new_message = 'The credentials provided are incorrect.';
	$error = str_replace( 'Invalid username.', $new_message, $error );
	$error = preg_replace( '{The password you entered for the username <strong>.*</strong> is incorrect\.}', $new_message, $error );

	return $error;
}
add_filter( 'login_errors', 'brazenly_genericize_login_errors' );

1 thought on “Genericize WordPress Login Errors”

  1. Kevin McGillivray

    Thanks you! I’ve been reading articles all morning about how to remove the error message altogether and that’s just bad form. This was very helpful.

Leave a Comment

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

the Rick Beckman archive
Scroll to Top