Some Web Applications have a tendency of revealing information which they are not supposed to reveal, this could be s a result of either the developer’s decision or some sort of misconfiguration WordPress tends to reveal information which isn’t necessary which is a result of design decision.
By Default, WordPress tends to show an error message which displays information whether the username or email entered in the login page is incorrect. This is mostly a security concern simply because the error message can be used as a hint to guess as username, email address and password.
This article will focus on showing you how you could disable the error message when someone enters incorrect credentials.
To begin with, the first scenario when someone enters an incorrect username and password the following piece of information is being displayed as shown below
The second scenario is when a user enters a valid username name but an incorrect password the following information is being displayed as shown below
As you can see from both the scenario’s WordPress is providing information whether the email or username is correct or incorrect which can be used by an attacker to perform a brute force attack on your web site. These login hints can also verify that you are using a particular email address for your admin account.
DISABLING LOGIN HINTS
In order to disable these hints in WordPress you will first have to login in the administrative page and then follow the following steps as shown below
First of all go to Appearance –> Themes –> click on your theme –> theme functions (functions.php)
Then go to the end of the functions.php part and paste the below following code
Note: to change the error message on the part that is written return, just edit that part.
The code adds your custom message as your filter to login errors.
Now when you try to enter an incorrect username or password this is what you will get as an error message