[wp-trac] [WordPress Trac] #12129: Generic login failure message

WordPress Trac noreply at wordpress.org
Wed Apr 17 11:37:28 UTC 2013 

#12129: Generic login failure message
-------------------------------+------------------------------
 Reporter:  scohoust           |       Owner:  ryan
     Type:  enhancement        |      Status:  closed
 Priority:  low                |   Milestone:  Awaiting Review
Component:  Security           |     Version:
 Severity:  normal             |  Resolution:  wontfix
 Keywords:  close 2nd-opinion  |
-------------------------------+------------------------------
Changes (by bobbingwide):

 * keywords:  2nd-opinion => close 2nd-opinion
 * status:  reopened => closed
 * resolution:   => wontfix
 * severity:  major => normal


Comment:

 OK. Given that there are numerous filters and actions I'm happy to close
 this with the following remarks.

 If you want to alter the text of the message produced for
 "invalid_username" or "incorrect_password" then you can implement a filter
 for "login_errors", replacing the passed in message with your own.

 Note: With the current implementation, you will need to determine the
 error from global $errors.
 {{{
 add_filter( 'login_errors', 'fob_login_errors' );
 function fob_login_errors( $message ) {
   global $errors;
   if ( isset( $errors->errors['invalid_username'] ) || isset(
 $errors->errors['incorrect_password'] ) ) {
     $message = sprintf( 'Invalid username/password combination.<br><a
 href="%1$s" title="%2$s">%3$s</a>?'
                       , site_url( 'wp-login.php?action=lostpassword',
 'login' )
                       , 'Request a new password'
                       , 'Lost Password'
                       );
   }
   return $message;
 }
 }}}


 Alternatively, implement the 'authenticate' filter to return null when
 there's a WP_error in $user.e.g.
 {{{
 add_filter( "authenticate", "fob_authenticate", 100, 3 );
 function fob_authenticate( $user=null, $username=null, $pass=null) {
   if ( is_wp_error($user) ) {
     $user = null;
   }
   return( $user );
 }
 }}}

 wp_authenticate will then create an 'authentication_failed' message with
 the required text, but with side effects that both fields are blanked out
 and there's no shaking (until 'authentication_failed' is added to
 $shake_error_codes).

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12129#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list