we’re using LDAP plugin with WordFence.
In some cases (as WordPress default), some information is exposed to final users (for example, valid usernames during login).
WordFence has a function to “Don’t let WordPress reveal valid users in login errors”.
However, due to login error codes generated by the LDAP plugin, this function is not triggered.
wpldaplogin.php $error = new WP_Error(); $error->add('LDAP_USER_BIND_ERROR', __('<strong>ERROR</strong>: The password you entered for the username <b>'.$username.'</b> is incorrect.')); return $error;
This works using:
$error->add('incorrect_password', ... )
Do you plan to support WordFence or have plan to expose less data to potential attackers?
- The topic ‘Reveal valid users in login errors’ is closed to new replies.