It’s important to protect your website at all costs. Even the smallest of blogs are targets for hackers and bots. One problem a lot of people don’t think about is the login error message. It can provide hints to someone trying to gain access without you realizing. In this case, it’s best to create a custom WordPress login error message.
While plugins like WordFence work well against brute force attacks by limiting the number of attempts to gain access, someone with more patience can still try to gain access.
For example, let’s say that a hacker has an idea of what your username is. If he or she tries it with the wrong password, WordPress will respond with an error message: «The password you entered for the username BobsAccount is incorrect.» This is a clear hint that the username, «BobsAccount» is an actual account in WordPress.
Otherwise, the system would respond with an error message, «Invalid username.»
Today, I’m going to show you how to customize the WordPress login error message to remove this kind of hint. If you think about it, the username is only 50% of the access whhich means a hacker is halfway to getting into your website.
In this tutorial, I’ll demonstrate LoginPress. It’s a very useful tool that helps you customize login error messages as well as the login screen itself. It’s a great way to add more visual appeal if you allow users to register or simply protect your site if you’re the only one accessing the site.
Install and activate the «LoginPress» plugin.
A new function will appear in the left admin column. Click «LoginPress» to open the settings screen.
From here, you can enable things like reCAPTCHA, custom password fields and the login order. This is convenient especially if you want to only allow usernames or passwords. By default, WordPress allows both.
Using the LoginPress Customizer
Click on the «Customizer» link in the left column.
This screen is similar to the Customizer used to modify themes. In this instances, the tool is used to customize your login screen. You can change colors, images or add your own CSS. Click the LoginPress option on the left.
Here is where the real functionality of LoginPress resides. From here, you have a myriad of abilities to create the perfect login page for your WordPress website. For this tutorial, click the «Error Messages» option.
From this screen, you can change any of the login error messages to remove hints from WordPress. For instance, you can change the message that appears if someone tries to register an account using an email that already exists. This lets hackers know a specific email is registered on the site.
You can change messages such as these to be more generalized. Something as simple as «Error: Email Address Invalid» neither confirms or denies a specific email address is accessible on the account.
For this example, I’m going to change both incorrect username and password to this message: «Invalid User.»
Once you customize the WordPress login error messages, click the «Publish» button on the top left. This will save your changes, which will be live immediately.
Click the «X» icon on the top left corner to close the Customizer.
Now when you try to put in either the wrong username or password, the error message simply states «Invalid User.»
This kind of generic error removes any hint of an existing username or password.
Keeping Your Login Screen Protected
This is only one way to help limit how people access your site. The truth is, there are plenty of ways you can lock down the login screen. From moving it to a subdirectory to limiting IP addresses, there’s no such thing as too much security.
If you choose to allow user registration on your website, you need to have a system in place to protect yourself as well as visitors. For example, if you are running an eCommerce site or hosting a social hub, you don’t want the criminal element gaining access.
I mentioned earlier how tools like WordFence Security are great additions. Many of them will help shield the login screen from most bot and hacker attacks. Using something LoginPress in conjunction with a security tool helps reinforce the protection even more.
Always make sure you use unique usernames and passwords for your WordPress website. For instance, the default «admin» account is perhaps one of the biggest login hints available for hackers. In fact, I suggest not even installing the «admin» profile when installing WordPress. It’s perhaps one of the biggest exploits you can add.
An Ounce of Prevention…
It’s always best to prevent a problem from developing rather than fix it later. Eliminating login hints in WordPress is just a small part of that prevention. Never assume your site is protected enough. Nothing protects your site with 100% coverage, which is why you need to remain proactive.
Otherwise, you could give someone full run of your site without realizing it.
How often do you use the WordPress Customizer to give your site a unique look and feel? Have you purchased the pro versions of security plugins for WordPress, if so, do you find it a better value?