WordPress Login Page displays messages error messages which help attackers in cracking the system.
In case of invalid password and valid user name WordPress Login Page displays below error message
“The password you entered for the username admin is incorrect” where admin is the username.Now attacker can guess that admin is right user name.50% of his job is done and now he has to guess the password only.
In case of invalid username WordPress Login Page displays below error message
“Invalid username” .This is more safer method but attacker knows that username is invalid.Now attacker has to guess the username.
Now of you want to remove these messages in case of incorrect login attempts follow below steps
- Go to your wordpress installation directory
- Open the file wp-login.php
- Search for the line
echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>n";
- Remove the line (delete the line do not forget to remove the dot as shown below)
apply_filters('login_errors', $errors) .
- The final line looks like below
echo '<div id="login_error">' . "</div>n";
- You can also put any comment in place of the removed line (do not remove or replace the dot if you are replacing the function with custom text)