Wordpress: Make Your Wordpress A Little Bit More Secure

Home » Earning with Website and Blogging » Wordpress: Make Your Wordpress A Little Bit More Secure

14May/094

Wordpress: Make Your Wordpress A Little Bit More Secure

ADVERTISEMENTS

When you login into your Wordpress Admin using wrong username, your Wordpress will prompt you an error message: Invalid username.

When you login into your Wordpress Admin using wrong password, your Wordpress will prompt you an error message: Incorrect password.

You may not notice the two error messages above actually give the intruder some hints about your login information.

When an intruder get an Invalid username message from your Wordpress, he or she will know that the username DOES NOT exist in your Wordpress database. He or she then can retry login to your Wordpress using other username.

When an intruder get an Incorret password message from your Wordpress, he or she will know that the username DOES exist in your Wordpress database. He or she then can concentrate on using different password to login into your Wordpress.

Change the login's error message

To make your Wordpress a little bit more secure, simply change the Invalid username and Incorrect password message to a simlar message that tell nothing about username or password, for instance, Invalid username or password or Login failed and any attempt to login will be recorded.

To change the error message, find the two error message in the \wp-includes\pluggable.php at about line 451 and 462. Replace the two error messages with the same error message so that the intruder does not know what's wrong with his login attempts.

[Updates - Thanks David Sullivan for the suggestions]

Change the username field's value

As suggested by David Sullivan, the username field should be cleared for the case user has submitted either an invalid username or password.

At about line 469, change the following codes:


<input type="text" name="log" id="user_login" class="input" value="<?php echo $user_login; ?>" size="20" tabindex="10" /></label>

to:


<input type="text" name="log" id="user_login" class="input" value="" size="20" tabindex="10" /></label>

Change the field focusing on error

As suggested by David Sullivan, the username field should be focused for the case user has submitted either an invalid username or password.

At about line 500, change the following codes:


<?php if ( $user_login ) { ?>
setTimeout( function(){ try{
d = document.getElementById('user_pass');
d.value = '';
d.focus();
} catch(e){}
}, 200);
<?php } else { ?>
try{document.getElementById('user_login').focus();}catch(e){}
<?php } ?>

to:


try{document.getElementById('user_login').focus();}catch(e){}

Change the page redirection on password retrieval

As suggested by David Sullivan, Wordpress should always redirect user to the email confirmation page (the successful page) to avoid showing error message which contains information about the submitted username/email.

At about line 288, change the following codes:


case 'retrievepassword' :
    if ( $http_post ) {
        $errors = retrieve_password();
        if ( !is_wp_error($errors) ) {
            wp_redirect('wp-login.php?checkemail=confirm');
            exit();
        }
    }

to:


case 'retrievepassword' :
    if ( $http_post ) {
        $errors = retrieve_password();
        //if ( !is_wp_error($errors) ) {
            wp_redirect('wp-login.php?checkemail=confirm');
            exit();
        //}
    }

Hopefully this changes will be reflected in the future release of Wordpress to make it a more secure blogging platform.

Tagged as: login, password, security, Wordpress Leave a comment

Comments (4) Trackbacks (1) ( subscribe to comments on this post )

David Sullivan
May 16th, 2009 - 01:33

Good post and much needed. However, WordPress still gives it away if you don’t also edit the /wp-login.php file.

For example, if the UserName is wrong, by default WP will focus the cursor to the user_login field and blank it out. But if the Password is the incorrect value and the UserName is correct, WP will fill in the user_login field correct UserName and focus the cursor to the user_pass field.

The workaround in the wp-login.php file is two-fold:
1) Locate the login form with id=”loginform” and under that locate the field with id=”user_login” and remove the php text from the value parameter so that it says value=”" (about line 469)

2) Next go to the bottom of the page just above the tag and edit the JavaScript so that between the tags it just says:
try{document.getElementById(‘user_login’).focus();}catch(e){}

That should do it!
szehau
May 16th, 2009 - 02:37

Hi David Sullivan,

Thanks for heading up that issue. I didn’t notice that WP will focus the field that generate the login error and keep the user name in the field if the user name is correct.

Hopefully the changes will be implemented in the future release of Wordpress.
David Sullivan
May 17th, 2009 - 00:37

Also, the “Lost Your Password” function gives away valid/invalid UserName. To fix in /wp-login.php, add the “//” comment tags in the two lines of the code below:
case ‘retrievepassword’ :
if ( $http_post ) {
$errors = retrieve_password();
// if ( !is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=confirm’);
exit();
// }
}
szehau
May 17th, 2009 - 00:53

You are quite right about that. I always design my system to show a successful request for the lost password retrieval although user keyed in an invalid user id.

First Post — The David Sullivan

« Get Paid to Be a Hacker! Twitter: Earn Money While You Tweet »

Subscribe and Follow

Blog Network

Snippet IT IT News, Programming, Internet and Blogging

Leave a comment

Subscribe and Follow

Sponsored Links

Blog Network

Recent Posts

Recent Comments

Categories

Tags

Archives

Blog Network

Snippet IT IT News, Programming, Internet and Blogging