Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Internet Security

Securing WordPress Lost Password: Concealing User Existence

This article marks the second part of our exploration into the practice of concealing user identifiers in WordPress.
If you haven’t yet read the first part, I recommend visiting this article on my website:
Securing WordPress Login Form: Concealing User Existence

By default, in WordPress, when you request a new password through the “Lost Password” interface.
If you provide an incorrect username or email, an error message appears, informing you that the identifier does not exist.

While this may seem like a minor issue, it could potentially expose a security vulnerability.
Allowing malicious users to compile lists of valid usernames or email addresses for nefarious purposes.

It can lead to phishing attacks or brute force password recovery attempts.

A few explanations

To comprehend the following steps, let’s begin with a brief overview of how the “Lost Password” feature works.

When submitting the “Lost Password” form, if it fails, the application redirects you to the “Lost Password” page with an error message.

In case of success, the application redirects you to the login success page, typically “wp-login.php?checkemail=confirm”, with the “checkemail” parameter serving as a signal for WordPress to determine which message to display.

To leave no room for clues for potential malevolent individuals, we will modify the behavior so that, after form submission, the application will always redirect all users to the success page, irrespective of whether the entered identifier exists or not.

Subsequently, we will adjust the success message to inform the user that, in the event of a correctly entered identifier or email address, they will receive an email to reset their password.

As in the first article, keep in mind that this modification may impact the user experience.
This message may confuse users if they can’t remember the e-mail address they used.

It’s up to you to decide whether you want to enhance site security at the expense of the user experience.

Let’s dive into the code.

Just a few lines of code will accomplish our goal.
You don’t need to be an expert coder; simple copy-and-pasting will suffice.

First, you need to access the functions.php” file, located in the root directory of your WordPress theme. The path should be something like “wp-content/themes/name-of-your-theme.”

In the initial step, we will add an action to “lost_password”, which is a hook that allows us to execute code after a “Lost Password” request.
We will specify a function name as the second parameter for this action, which we will create right afterward:

add_action('lost_password', 'errors_lost_password');

function errors_lost_password($errors) {
    $errors_codes = $errors->get_error_codes();

    // we dont want to give any clue to hackers, page act like a success
    if (in_array('invalidcombo', $errors_codes)) {
        wp_safe_redirect( 'wp-login.php?checkemail=confirm' );
        exit;
    }
}

To clarify the code, we retrieve the error codes related to the “Lost Password” process.

The code used when an identifier or email does not exist is ‘invalidcombo‘.

If this code is used, we perform a redirection to the success page using the ‘wp_safe_redirect‘ function.
Then ‘exit‘ is used to halt the execution of the current page and proceed directly to the redirection.

The final step is to modify the success message.
To achieve this, we need to override the “login_message” filter, responsible for displaying login messages.

We will specify a function name as the second parameter for this filter, which we will create right afterward:

add_filter('login_message', 'custom_login_message');

function custom_login_message($base_error) {

    if (isset($_GET['checkemail']) && 'confirm' === $_GET['checkemail'] ) {
        return 'Your html message';
    }

    return $base_error;
}

If the URL of the page contains the “checkemail” parameter, and this parameter is set to ‘confirm’, we return our customized success message.
Otherwise, we return the default success message.

You simply need to replace ‘Your html message’ with your desired message, and you’re all set.

Illustration by Werner Moser of Pixabay.

Learn more

Want to learn more?

Take a look at our other articles on WordPress :