304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Internet Security

Securing WordPress Login Form: Concealing User Existence

In default WordPress settings, when a user attempts to log in with an incorrect username or email, a message appears indicating that the identifier does not exist.

This seemingly benign response can potentially expose a security vulnerability, malicious users could exploit it by collecting lists of valid usernames or e-mail addresses.

This can lead to nefarious purposes such as phishing attacks or brute force password recovery attempts.

The solution

To fortify our website’s security, we are going to override this error message behavior, ensuring that whether a user enters an incorrect identifier or a valid identifier with an incorrect password, the system’s response remains the same.

But keep in mind that this modification may impact the user experience.
A user who no longer remembers the e-mail address used could be confused without this message.

It’s up to you to decide whether you want to enhance site security at the expense of the user experience.

Let’s dive into the code to implement this security enhancement.

All it takes is a few lines of code to achieve this, and you don’t need to be a coding expert; simple copy-and-paste will suffice.

Firstly, you need to access the “functions.php” file, which is located in the root directory of your WordPress theme.
The path should be something like “wp-content/themes/name-of-your-theme”

Then to achieve this, we will override the “login_errors” filter responsible for displaying login errors. We’ll specify a function name as the second parameter for this filter, and we’ll create this function right afterward:

add_filter('login_errors', 'custom_login_errors');

function custom_login_errors($baseErrors) {
    global $errors;
    $err_codes = $errors->get_error_codes();

    foreach (['invalid_username', 'incorrect_password'] as $code) {
        if (in_array($code, $err_codes)) {
            return 'Your custom error message';

    return $baseErrors;

To explain the code, we retrieve the global variable “$errors,” which stores all the errors on the page.

If the error code corresponds to that of an invalid username or an incorrect password, we return our customized error message.
Otherwise, we return the default error message.

Simply replace ‘Your custom error message‘ with the desired message (can be html).

You’ve now finished improving the security of your WordPress login form.

Illustration by Werner Moser of Pixabay

Learn more

Want to learn more?

Take a look at our other articles on WordPress :

Leave a Reply

Your email address will not be published. Required fields are marked *