Theses days, there’s a lot of talk about WordPress security due to recent issues. Is your blog secure? Here is a quick tip that you can easily implement to prevent displaying useful message to potential blog hackers.
When you (or someone) try to login on your blog, but fails, WordPress display a message to let you know what happened. Sure, it may be useful to you, but it is for sure also useful to potential blog hackers.
To remove theses messages, simply open your functions.php file and paste the following code:
add_filter('login_errors',create_function('$a', "return null;"));
That's all. No more error messages!
Thanks to Ryan Imel for this great tip!
If you enjoyed this article, please consider sharing it!
Related Posts
Leave a Comment
On Twitter : @jeanninejung Oui ca va, dommage qu'on doive repartir. Pas de bol pour Djerba, cosmos doit pas etre content
Copyright © 2008 - 2010 WordPress Development by Jean-Baptiste Jung. Graphic art by GreenBubbles.org.ua, all right reserved.
24 Responses
This is a good tip.
It should be pointed out, however, that this tip alone will do nothing to quell that worm that’s going ’round. Only upgrading to 2.8.4 will make your blog safe from that.
oh… so poor…
@Akbar : Your comment too is also a great example of “poor” thing.
Simple and useful tip…Its really important to safeguard our blog in every possible way..
Short, simple and very useful tip. I would definitely try implementing it on my blog and see how it goes..
Excellent one!!!
I never thought it could be that easy… Thanks for the great tip
Thanks for the useful security tips. We have to be aware of wordpress Hackers…!
I don’t know… Remove messages… I think in web sites and apps FEEDBACK is the best choice, because we need inform users what’s going on, so rename WordPress error messages is a better way to send nice feedback to users and put away malicious users.
Messages like “Please, check your username and password because they don’t match” or something like that, but I like to know that exist a easy way to change it.
I agree with Juarez. Do not show any reaction on the user’s error is not a good practice. But thank you for the help in finding a way to hide the unique message which can help to attacker identify some vulnerability. I talk about LoginLockDown login ‘your IP is blocked’ message. I can change it with the help of this recipy now. I put this code
function login_error_mess() {
return ‘ERROR: Invalid username or password.’;
}
// Remove LoginLockDown’s message about IP blocking
add_filter(‘login_errors’, ‘login_error_mess’);
in my theme function.php to have only one message for all kinds of login errors. Also I added this line to the functions.php
// Remove Login LockDown advertisement from Login Dialog
remove_action(‘login_form’, ‘ll_credit_link’);
in order to remove Login LockDown plugin identification/advertisement from Login dialog box.
As already pointed out, people need feedback if something went wrong/right… But a great tip none the less, makes me think about all the other obvious messages which maybe can be used for breaking in…
Is this tip still a working solution, even if you upgraded to the 2.8.4 version?
Yep, I agree that we DO need a feedback in such situation, but if everything is in control, this tip can be really useful, thanks )
never thought of this error message hackers before :S
thank you
Trackbacks: