WordPress Login Page Error Message Removal

WordPress Login Page displays messages error messages which help attackers in cracking the system.

In case of invalid password and valid user name WordPress Login Page displays below error message

“The password you entered for the username admin is incorrect” where admin is the username.Now attacker can guess that admin is right user name.50% of his job is done and now he has to guess the password only.

In case of invalid username WordPress Login Page displays below error message

“Invalid username” .This is more safer method but attacker knows that username is invalid.Now attacker has to guess the username.

Now of you want to remove these messages in case of incorrect login attempts follow below steps

  • Go to your wordpress installation directory
  • Open the file wp-login.php
  • Search for the line
echo '<div id="login_error">' . apply_filters('login_errors', $errors) .  "</div>n";
  • Remove the line (delete the line do not forget to remove the dot as shown below)
apply_filters('login_errors', $errors) .
  • The final line looks like below
echo '<div id="login_error">' . "</div>n";
  • You can also put any comment in place of the removed line (do not remove or replace the dot if you are replacing the function with custom text)

3 thoughts on “WordPress Login Page Error Message Removal

  1. Hi,

    For security is a very good point, but it is too bad practice.

    1, If wordpress will be updated, you have to do it again.
    2, There is also filter “apply_filters( ‘login_errors’, $errors )”, so you should use it in function php nad just echo empty string.

    Here is example:
    // Do not show error message for security resons
    function login_error_message($error){
    //check if that’s the error you are looking for
    $pos = strpos($error, ‘incorrect’);
    if (is_int($pos)) {
    //its the right error so you can overwrite it
    $error = “Wrong Info”;
    }
    return $error;
    }
    add_filter(‘login_errors’,’login_error_message’);

    3, The best solution for this is to filter error codes and the outputs from wp error object.

    I love your site.

    • Thanks for your wonderful comment.

  2. You will probobly like this version, because this do not tell when username is fine, but it do not validate if there is not any value, which I thing is fine.

    // Modified version
    function login_error_message($error){
    $error = “Wrong Info”;
    return $error;
    }
    add_filter(‘login_errors’,’login_error_message’);

    If something wrong, then just ouput: Wrong Info.

Leave a Comment