Skip to content

Commit 67ae20c

Browse files
dmhendricksdmhendricks
committed
Added documentation/examples for set_login_errors
1 parent 66996c5 commit 67ae20c

File tree

4 files changed

+37
-17
lines changed

4 files changed

+37
-17
lines changed

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
- Fixed: Firing sequence of `common_toolkit_loaded` hook
66
- Added: `ctk_environment` filter
77
- Added: Ability to change or remove Howdy from admin bar
8-
- Added: Ability to change login errors
8+
- Added: Ability to change/remove login errors
99
- Added: Ability to cache JSON config file
1010
- Added: Ability to disable WordPress core, plugin and/or theme updates
1111
- Added: Ability to modify or disable WordPress heartbeat

README.md

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,9 @@ A simple [MU plugin](https://codex.wordpress.org/Must_Use_Plugins) for WordPress
99

1010
- [Installation](#installation)
1111
- [Configuration](#configuration)
12-
- [Features](#features)
12+
- [Sample](#sample)
13+
- [Caching JSON Config File](#caching-json-config-file)
14+
- [Usage Examples](#usage-examples)
1315
- [Environment Filter](#environment-filter)
1416
- [Action Hook](#action-hook)
1517
- [Shortcodes](#shortcodes)
@@ -35,18 +37,18 @@ All variables are optional.
3537
| `admin_bar_color` | Change admin bar color in current environment | string | _null_ |
3638
| `disable_emojis` | Remove support for emojis | bool | false |
3739
| `disable_search` | Disable WordPress site search | bool | false |
38-
| `disable_updates` | Disable WordPress core, plugin and/or theme updates. Values: 'core', 'plugin', 'theme'; `true` for all | bool/string/array | false |
40+
| `disable_updates` | Disable WordPress core, plugin and/or theme updates. Values: _core_, _plugin_, _theme_; `true` for all | bool/string/array | false |
3941
| `disable_xmlrpc` | Disable XML-RPC | bool | false |
4042
| `feed_links` | Include RSS feed links in page head | bool | true |
41-
| `heartbeat` | Modify or disable the WordPress heartbeat. Set to integer to change, `false` to disable | bool/int | null |
42-
| `hide_login_errors` | Replaces login errors with generic "Login failed" text rather than specific reason | bool/string | null |
43-
| `howdy_message` | Change (string) or remove (false/null) Howdy message in WP admin bar | bool/string/null | true |
43+
| `heartbeat` | Modify or disable the WordPress heartbeat. Set to integer to change, `false` to disable | bool/int | _null_ |
44+
| `set_login_errors` | Hide or change login error messages to mitigate brute force attacks and username phishing | bool/string | _null_ |
45+
| `howdy_message` | Change (string) or remove (`false`/_null_) Howdy message in WP admin bar | bool/string/null | true |
4446
| `meta_generator` | Enable or change meta generator tags in page head and RSS feeds | bool/string | false |
4547
| `script_attributes` | Enable support for [additional attributes](#add-attributes-to-enqueued-scripts) to script tags via wp_enqueue_script() | bool | flase |
4648
| `shortcodes` | Enable custom [shortcodes](#shortcodes) created by this class | bool | false |
4749
| `windows_live_writer` | Enable [Windows Live Writer](https://is.gd/Q6KjEQ) support | bool | true |
4850

49-
### Example
51+
### Sample
5052

5153
#### Via Configuration File (PHP 5.6 or higher)
5254

@@ -98,7 +100,7 @@ $config = apply_filter( 'ctk_config', null );
98100

99101
You can add any variable you want to make available to your site's themes and plugins.
100102

101-
## Features
103+
## Usage Examples
102104

103105
### WordPress Environment
104106

@@ -194,6 +196,23 @@ define( 'CTK_CONFIG', [ 'disable_updates' => [ 'core', 'theme' ] ] ); // array
194196
define( 'CTK_CONFIG', [ 'disable_updates' => 'plugin' ] ); // string
195197
```
196198

199+
## Hide or Change Login Errors
200+
201+
To help prevent user enumeration/phishing for brute for attacks, you can change the WordPress login errors to something more generic by defining `set_login_errors`. This value can be a string or boolean:
202+
203+
| **Value** | **Result** |
204+
|---------------------------|---------------------------------------------------------------------------------------------|
205+
| _null_ | Leaves the default WordPress messages in place |
206+
| `false` | Hide/disables login error messages completely |
207+
| `true` | Changes the login messages to a generic "Login failed." (English only) |
208+
| _string_ | Changes the login message to your own string, particularly useful if your default language is not English. |
209+
210+
:pushpin: You can use `%s` in your string, which will be replaced with the reset password URL. Example:
211+
212+
```php
213+
define( 'CTK_CONFIG', [ 'set_login_errors' => '<strong>ERROR</strong>: Invalid credentials. <a href="%s">Lost your password</a>?' ] );
214+
```
215+
197216
## Environment Filter
198217

199218
You can alternately retrieve the current environment using the `ctk_environment` filter:

common-toolkit.php

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ final public static function init() {
4949
'disable_xmlrpc' => false,
5050
'feed_links' => true,
5151
'heartbeat' => null,
52-
'hide_login_errors' => false,
52+
'set_login_errors' => null,
5353
'howdy_message' => true,
5454
'meta_generator' => true,
5555
'script_attributes' => false,
@@ -141,8 +141,8 @@ final public static function init() {
141141
}
142142

143143
// Hide login errors
144-
if( self::get_config( 'common_toolkit/hide_login_errors' ) ) {
145-
add_filter( 'login_errors', array( self::$instance, 'hide_login_errors' ) );
144+
if( self::get_config( 'common_toolkit/set_login_errors' ) !== null ) {
145+
add_filter( 'login_errors', array( self::$instance, 'set_login_errors' ) );
146146
}
147147

148148
// Change or remove Howdy message in admin bar
@@ -430,19 +430,19 @@ public function modify_heartbeat( $settings ) {
430430
}
431431

432432
/**
433-
* Hide login errors to mitigate brute force attacks
433+
* Change or hide login errors to mitigate brute force attacks
434434
*
435435
* @since 0.9.0
436436
* @see https://codex.wordpress.org/Plugin_API/Filter_Reference/login_errors#Example
437437
*/
438-
public function hide_login_errors( $error ) {
438+
public function set_login_errors( $error ) {
439439

440440
global $errors;
441441
$err_codes = $errors->get_error_codes();
442-
$hide_login_errors = self::get_config( 'common_toolkit/hide_login_errors' );
443-
if( is_string( $hide_login_errors ) && empty( $hide_login_errors ) ) return null;
442+
$login_errors = self::get_config( 'common_toolkit/set_login_errors' );
443+
if( ( is_string( $login_errors ) && empty( $login_errors ) ) || !$login_errors ) return null;
444444

445-
$custom_message = is_string( $hide_login_errors ) ? $hide_login_errors : '<strong>ERROR</strong>: Login failed. <a href="%s">Lost your password</a>?';
445+
$custom_message = is_string( $login_errors ) ? $login_errors : '<strong>ERROR</strong>: Login failed. <a href="%s">Lost your password</a>?';
446446

447447
// Invalid username
448448
if( in_array( 'invalid_username', $err_codes ) ) {

sample-config.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010
"disable_xmlrpc": false,
1111
"feed_links": true,
1212
"heartbeat": null,
13-
"hide_login_errors": true,
13+
"howdy_message": "Welcome,",
14+
"login_errors": true,
1415
"meta_generator": "Atari 2600",
1516
"script_attributes": true,
1617
"shortcodes": false,

0 commit comments

Comments
 (0)