It’s important to protect your website at all costs. Even the smallest of blogs are targets for hackers and bots. One way to do this is to customize the login error messages. The default ones can provide hints to someone trying to gain access without you realizing it.
In this case, it’s best to create a custom WordPress login error message.
While plugins like WordFence work well against brute force attacks by limiting the number of attempts to gain access, someone with more patience can still try to gain access.
For example, let’s say that a hacker has an idea of what your username is. If he or she tries it with the wrong password, WordPress will respond with an error message: “The password you entered for the username BobsAccount is incorrect.” This is a clear hint that the username, “BobsAccount” is an actual account in WordPress.
Otherwise, the system would respond with an error message, “Invalid username.”
Today, I’m going to show you how to customize the WordPress login error message to remove this kind of hint. If you think about it, the username is only 50% of the access which means a hacker is halfway to getting into your website.
Does Every Website Need to Customize Its Login Error Messages?
Does a website need to? No. Should a website customize them? Absolutely.
As we just discussed, the default login messages are essentially a security vulnerability. They make it much easier to crack account information using a brute force approach, which just means they keep trying till they get it right.
In some cases, they may even guess an old password, and the message will say that it is no longer the password.
When you take a moment to realize that a lot of internet users end up using the same password on multiple sites, that information is extremely valuable. The hacker can now try logging into multiple different platforms using that plugin.
And the scary part is that statistically, they would probably get into one of them. After all, the user name is just an email address in most cases. And that’s not exactly secretive.
Thus, I do highly recommend customizing the login error messages to not only secure your website but to improve internet security overall.
How to Customize Login Error Messages with LoginPress
Step 1: Install LoginPress
In this tutorial, I’ll demonstrate LoginPress. It’s a very useful tool that helps you customize login error messages as well as the login screen itself. It’s a great way to add more visual appeal if you allow users to register or simply protect your site if you’re the only one accessing the site.
In terms of usability, it’s exceptionally easy. Normally, you would need to edit some code to make these changes, but instead, you just use the customizer to edit the default WordPress login messages.
You can see the changes immediately after making them. The plugin does have other features, but for the purpose of this tutorial, we will not explore them.
As is tradition for all plugin-based tutorials, you need to start out by installing and activating the “LoginPress” plugin.
Step 2: Customize Login Error Messages
A new function will appear in the left admin column. Click “LoginPress” to open the settings screen.
From here, you can enable things like reCAPTCHA, custom password fields, and the log-in order. This is convenient especially if you want to only allow usernames or passwords. By default, WordPress allows both.
Click on the “Customizer” link in the left column.
This screen is similar to the Customizer used to modify themes. In these instances, the tool is used to customize your login screen. You can change colors, images, or add your own CSS. Click the LoginPress option on the left.
Here is where the real functionality of LoginPress resides. From here, you have a myriad of abilities to create the perfect login page for your WordPress website. For this tutorial, click the “Error Messages” option.
From this screen, you can change any of the login error messages to remove hints from WordPress. For instance, you can change the message that appears if someone tries to register an account using an email that already exists. This lets hackers know a specific email is registered on the site.
You can change messages such as these to be more generalized. Something as simple as “Error: Email Address Invalid” neither confirms or denies a specific email address is accessible on the account.
For this example, I’m going to change both the incorrect username and password to this message: “Invalid User.”
Step 3: Save Your Settings
Once you customize the WordPress login error messages, click the “Publish” button on the top left. This will save your changes, which will be live immediately.
Click the “X” icon on the top left corner to close the Customizer.
Now when you try to put in either the wrong username or password, the error message simply states “Invalid User.”
This kind of generic error removes any hint of an existing username or password. It’s simple but highly effective.
Keeping Your Login Screen Protected
This is only one way to help limit how people access your site. The truth is, there are plenty of ways you can lock down the login screen. From moving it to a subdirectory to limiting IP addresses, there’s no such thing as too much security.
If you choose to allow user registration on your website, you need to have a system in place to protect yourself as well as visitors. For example, if you are running an eCommerce site or hosting a social hub, you don’t want the criminal element gaining access.
I mentioned earlier how tools like WordFence Security are great additions. Many of them will help shield the login screen from most bot and hacker attacks. Using something LoginPress in conjunction with a security tool helps reinforce the protection even more.
Always make sure you use unique usernames and passwords for your WordPress website. For instance, the default “admin” account is perhaps one of the biggest login hints available for hackers.
In fact, I suggest not even installing the “admin” username profile when installing WordPress. It’s perhaps one of the biggest exploits you can add. Create a completely unique admin account.
Another option to consider is preventing users from using their email address as a username. Emails are widely available, and you can usually find one on a LinkedIn profile without much effort.
That’s like giving away half of the answer. Instead, force users to create a unique username.
An Ounce of Prevention…
It’s always best to prevent a problem from developing rather than fix it later. Eliminating login hints in WordPress is just a small part of that prevention. Never assume your site is protected enough. Nothing protects your site with 100% coverage, which is why you need to remain proactive.
Of course, the login area is just one part of your website. The most common way your security gets compromised is through plugins. Specifically, plugins that are not active. These are prime targets for hackers because the site owner will not check those files.
Thus, you should take a moment and delete any unused plugins for safety. Otherwise, you could give someone a full run of your site without realizing it.
How often do you use the WordPress Customizer to give your site a unique look and feel? Have you purchased the pro versions of security plugins for WordPress, if so, do you find it a better value?