Recently, one of our users asked us how they can disable login hints in WordPress. By default, WordPress show error messages when someone enters incorrect username or password on the login page. These error messages can be used as a hint to guess a username, user email address, or password. In this article, we will show you how to disable login hints in WordPress login error messages.
What Are Login Hints in WordPress Login Error Messages
During login, WordPress shows this error message when a user enters incorrect username
ERROR: Invalid username. Lost your password?
If someone enters correct username with wrong password, then WordPress shows this message:
ERROR: The password you entered for the username johnsmith is incorrect. Lost your password?
If someone is trying to guess your username, then this error message confirms that they have successfully guessed it.
Since WordPress 4.5, you can also login to your WordPress site using email address instead of username. These login hints can also confirm that you are using a particular email address for your admin account.
For most WordPress users this is probably not a big issue. But for people who are cautious about privacy and security, this could be a problematic thing.
For better security, you should always use unique usernames and strong passwords for your admin account. See our guide on the best way to manage passwords for WordPress beginners.
Having said that, let’s take a look at how to hide these login hints in WordPress login error messages.
To make it easy, we have created a video tutorial on how to disable login hints in WordPress login error messages.
However if you just want to follow text-instructions, then you can follow our step by step tutorial on how to disable login hints in WordPress login error messages.
Hiding Login Hints in WordPress
Simply add the following code to your theme’s functions.php file or a site-specific plugin.
function no_wordpress_errors(){
return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
This code adds your custom message as a filter to login errors. This will override default WordPress login errors.
Now if someone enters incorrect username, password, or email, WordPress would simply show the error ‘Something is wrong’ without giving any hints.
While this code can hide login errors, it cannot save you from more sophisticated hacking attempts or brute force attacks.
We use Sucuri to protect all our websites against common security threats. Sucuri comes with a website firewall that can block any suspicious activity from reaching to your site. See how sucuri helped us block 450,000 WordPress attacks in 3 months
We hope this article helped you hide login hints from WordPress login error messages. You may also want to see these on 13 tips and hacks to protect your WordPress admin area.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
When I add this to my WpTouch plugin, it shows a part of the code in my header…
As long as the code is working on the desktop version you would want to reach out to WPTouch to let them know about that issue to take a look.
Well it is easy to know the username if it is right, as when entered correct username and the wrong password, the username field does not get blank even after getting the ‘something is wrong’ warning. Which clearly is a hint the yes this is the correct username. Is there any way to make the username field blank in this scenario. Please help.
Is there a way to change the text of the error message on the lostpassword page that says by default, “Please enter your username or email address. You will receive a link to create a new password via email.”?
I can’t seem to find any material on the subject
I was wondering the same thing. Why can’t we just change the wording of the error message instead of adding a function that might be overwritten with the next update?
The only thing is that when you enter a correct username and an incorrect password, it gives a message “something is wrong” but you can see the username, which confirms it in case you have guessed it. I don´t know if this happens in WordPress 4.5. Is there any way of leaving the username field blank even though it´s correct? Thank you
I am curious to find out what blog system you’re using? I’m having some small security issues with my latest website and I would like to find something more safeguarded. Do you have any solutions?
We are using WordPress with Sucuri.
I am truly thankful to the owner of this web page who has shared this enormous article at at this time.
Do you have any video of that? I’d like to find out some additional information.
Video will be available soon. Please subscribe to our YouTube Channel.
WP Simple Firewall or Shield gives you the ability to hide the login menu, lock down the Dashboard and it comes with Sucuri and Brute Attack prevention. It is a free plugin, use it in conjunction with a password manager, so you don’t forget or misplace your passwords. I use Lastpass, which is also free. Shield replaced six security plugins and sped up my website.
Is there a help line in Australia as I have forgotten my user name for logon being a little old it is a problem
G’day Phillip, sorry mate no help line. Try going through whoever hosts your website, they should be able to help you out. Once reset use a password manager like Lastpass, you only have to remember one password. WRITE IT DOWN; did I say write it down because if you don’t, WRITE IT DOWN you’ll really will be up the creek, without a paddle.