Comments on: WordPress: Make Your WordPress A Little Bit More Secure http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/ IT News, Programming, Internet and Blogging Thu, 21 Oct 2010 09:34:06 +0000 hourly 1 http://wordpress.org/?v=3.1.3 By: First Post — The David Sullivan http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/comment-page-1/#comment-269 First Post — The David Sullivan Fri, 29 May 2009 14:22:28 +0000 http://www.snippetit.com/?p=173#comment-269 [...] tweet about a fix and I tried it and found that there was still work to be done.  See the article Make Your Wordpress a Little More Secure and note my response to [...] [...] tweet about a fix and I tried it and found that there was still work to be done.  See the article Make Your WordPress a Little More Secure and note my response to [...]

]]> By: szehau http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/comment-page-1/#comment-245 szehau Sat, 16 May 2009 16:53:29 +0000 http://www.snippetit.com/?p=173#comment-245 You are quite right about that. I always design my system to show a successful request for the lost password retrieval although user keyed in an invalid user id. You are quite right about that. I always design my system to show a successful request for the lost password retrieval although user keyed in an invalid user id.

]]> By: David Sullivan http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/comment-page-1/#comment-243 David Sullivan Sat, 16 May 2009 16:37:51 +0000 http://www.snippetit.com/?p=173#comment-243 Also, the "Lost Your Password" function gives away valid/invalid UserName. To fix in /wp-login.php, add the "//" comment tags in the two lines of the code below: case 'retrievepassword' : if ( $http_post ) { $errors = retrieve_password(); // if ( !is_wp_error($errors) ) { wp_redirect('wp-login.php?checkemail=confirm'); exit(); // } } Also, the “Lost Your Password” function gives away valid/invalid UserName. To fix in /wp-login.php, add the “//” comment tags in the two lines of the code below:
case ‘retrievepassword’ :
if ( $http_post ) {
$errors = retrieve_password();
// if ( !is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=confirm’);
exit();
// }
}

]]> By: szehau http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/comment-page-1/#comment-238 szehau Fri, 15 May 2009 18:37:41 +0000 http://www.snippetit.com/?p=173#comment-238 Hi David Sullivan, Thanks for heading up that issue. I didn't notice that WP will focus the field that generate the login error and keep the user name in the field if the user name is correct. Hopefully the changes will be implemented in the future release of Wordpress. Hi David Sullivan,

Thanks for heading up that issue. I didn’t notice that WP will focus the field that generate the login error and keep the user name in the field if the user name is correct.

Hopefully the changes will be implemented in the future release of WordPress.

]]> By: David Sullivan http://www.snippetit.com/2009/05/wordpress-make-your-wordpress-a-little-bit-more-secure/comment-page-1/#comment-237 David Sullivan Fri, 15 May 2009 17:33:00 +0000 http://www.snippetit.com/?p=173#comment-237 Good post and much needed. However, WordPress still gives it away if you don't also edit the /wp-login.php file. For example, if the UserName is wrong, by default WP will focus the cursor to the user_login field and blank it out. But if the Password is the incorrect value and the UserName is correct, WP will fill in the user_login field correct UserName and focus the cursor to the user_pass field. The workaround in the wp-login.php file is two-fold: 1) Locate the login form with id="loginform" and under that locate the field with id="user_login" and remove the php text from the value parameter so that it says value="" (about line 469) 2) Next go to the bottom of the page just above the tag and edit the JavaScript so that between the tags it just says: try{document.getElementById('user_login').focus();}catch(e){} That should do it! Good post and much needed. However, WordPress still gives it away if you don’t also edit the /wp-login.php file.

For example, if the UserName is wrong, by default WP will focus the cursor to the user_login field and blank it out. But if the Password is the incorrect value and the UserName is correct, WP will fill in the user_login field correct UserName and focus the cursor to the user_pass field.

The workaround in the wp-login.php file is two-fold:
1) Locate the login form with id=”loginform” and under that locate the field with id=”user_login” and remove the php text from the value parameter so that it says value=”" (about line 469)

2) Next go to the bottom of the page just above the tag and edit the JavaScript so that between the tags it just says:
try{document.getElementById(‘user_login’).focus();}catch(e){}

That should do it!

]]>