[wp-trac] [WordPress Trac] #10006: Lost Password Requests -
Hardening WordPress
WordPress Trac
wp-trac at lists.automattic.com
Tue Jun 2 10:25:04 GMT 2009
#10006: Lost Password Requests - Hardening WordPress
-------------------------+--------------------------------------------------
Reporter: neoxx | Owner: ryan
Type: enhancement | Status: new
Priority: normal | Milestone: Unassigned
Component: Security | Version: 2.8
Severity: normal | Keywords: login, security, lostpassword
-------------------------+--------------------------------------------------
hi,
just a security thought. - as i have a public authors list on my blog, an
attacker could easily use this list to bother my users with password-reset
mails.
fortunately, we have the lostpassword_post hook, thus i'm able to redirect
all lost-password request, which are not based on registered e-mail
addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid
confusing my users, i still need to manually change the messages in wp-
login.php from '*username or e-mail*' to only '*e-mail*'.
to summarize, it would be helpful to have a filter for these messages...
greetz,
berny
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10006>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list