Hi @narbutovskih
Thanks for writing in,
We tried to log in with an unregistered account and it gives the following error.
Error: The username sandippokhrel is not registered on this site. If you are unsure of your username, try your email address instead.
The error message you have mentioned is shown when the user inputs wrong password/username. Would you please let us know what message are you exactly referring to?
Regards!
Thank you Sandip,
When a user attempts to login with a valid user name and invalid password the error message reads ERROR:The password you entered for username alice is incorrect. Lost Your Password?
When a user attempts to login with both invalid user name and invalid password the error message reads ERROR:The password you entered for username cat is incorrect. Lost Your Password?
It’s the same message perhaps leading the user (or a hacker) to believe that the user name is valid. When both user name and password are incorrect the message should say so. I’m not getting the error message you quoted above.
I work with narbutovskih and want to clarify that the main question is, can we as site administrators change the error messages that the plugin displays to the front-end users, and if so, how? The examples given are not the only ones we want to change.
Thank you for your time.
Update: I found where you can change error messages for specific fields (which I assume is handled by JavaScript) but not for errors that result from checking the database, such as a non-existent username or a password that is incorrect for a correct username. Do such server-level error messages come from WordPress core, or can your plugin modify any of them?
Thanks again. I really like your plugin, by the way.
Hi @greentreefrog
When the username is incorrect, our plugin will throw the message mention that the username is incorrect. It won’t check for the password field in this case. Therefore, the error message you are seeing isn’t shown over here when we put incorrect username along with a random incorrect password. We suspect some other plugin might be overriding this one.
Also, you can change the error message in case of incorrect username from User Registration > Settings > General > Login Options > Messages. Please try this and let us know if it helps or not.
Regards!
Sandip,
I verified that when WordFence is deactivated, the error message for an invalid username is “Invalid username” (followed by the “Lost your password?” link). However, displaying “Invalid username” is a security risk, as then attackers know whether or not they have a valid username. That is why WordFence changes the error message used. We would prefer the message say, “Either the username or password is incorrect.” I am not seeing a setting for changing the error message for either the username or password field.
WordFence seems to just substitute the invalid password message for the invalid username message. In that case, all we really need to change is the invalid password error message. If your plugin has a way to do that, please show me. Otherwise, I will try to do it with the “wp_login_errors” WordPress filter.
Regards,
Margaret
-
This reply was modified 2 weeks, 5 days ago by
greentreefrog. Reason: Make a sentence clearer
Hi @greentreefrog
You can use the following code snippet to customize the incorrect password error message.
add_filter( 'login_errors', function($msg) {
if ( strpos( $msg, "<strong>ERROR:</strong>The password you entered for " ) !== false ) {
$msg = __( 'Either the username or password is incorrect.', 'user-registration' );
}
return $msg;
}, 10, 1 );
For customizing the error message in case of incorrect username from User Registration > Settings > General > Login Options > Messages. Please try this and let us know if it helps or not.
Regards!
Hi @greentreefrog ,
Since we haven’t heard from you in a while, I’m going to go ahead and conclude this thread for now. However, if you have any further questions or if there’s anything else we can assist you with, please feel free to continue the conversation.
Regards!
Thanks, Sandip. Sorry I did not get back to this sooner.
The code you gave worked to change the error message (once I upped the filter’s priority to 11 instead of 10).
There is a somewhat different, related problem: On the “Lost Password” page, without the WordFence plugin active, if I type an email address or username that does not exist, I get the error message, “Invalid username or email.” If the username does exist, the confirmation message is shown (“Password reset email has been sent.”) Again, this lets a would-be hacker know whether or not they have a valid username or email, so we would like to change it.
However, there seems to be a conflict when both WordFence and UR are active: If the username or email is non-existent, no message appears at all on the “Lost Password” page, making it appear that the form failed to submit (which could still inform a hacker that the username or email did not exist). If the username does exist, the aforementioned confirmation message appears as usual.
Although WordFence is a very popular security plugin, my guess is that this issue is seldom noticed. Real users type in their correct username or email most of the time and if they keep trying the wrong one, sooner or later they’ll probably either quit the website or ask an admin for help. But I’d rather show a message instead of nothing; something like, “A password reset email has been sent. (If you do not receive it, check your spam folder. Also be sure you entered a correct username or email address.)”
Regards,
Margaret
Update: I have raised this issue on the WordFence support forum. Meanwhile, I did work out some PHP code to customize the behavior when the “Lost Password” form is submitted so that the same message would show regardless of whether a valid or invalid username or email was entered. Unfortunately, it only works when WordFence is deactivated. I will post the final solution here when I am sure everything works (unless someone else beats me to it).
