Login error messages: reenable

Add the line below to the wp-config.php file:

define('ITSEC_DEBUG', true);

This will add an extra menu option to the Security menu named Debug.
Navigate to the Security->Debug menu option.

In the Settings section select ‘wordpress-tweaks’ and then click on the Load button.

If you have properly disabled the “Login Error Messages” setting you should see the following entry in the array:

"login_errors": false,

We just checked it.
It could be another (security) plugin. Or a piece of code added to the active theme functions.php file.
Or it may be the effect of a caching plugin.

Is it showing an empty (red color) notice or no notice at all when forcing an invalid login attempt ?

Any chance I can give it a try ?

Ok, I see.

I don’t think this is an iTSec plugin issue. When enabling the plugin setting normally an empty notice will be displayed above the login form upon a failed login attempt. Since there is no notice displayed at all the setting is probably correctly disabled. Doublecheck: Enable the setting again and confirm an empty (red) notice is displayed.

Post edit:
If the empty (red) notice is not displayed this may be a custom login form issue. So the iTSec plugin setting may not work at all with your custom login form …

• This reply was modified 7 years, 8 months ago by nlpro.

I’ve been digging a little deeper (I’m curious) and learned that WooCommerce wc_add_notice() function actually applies the WordPress ‘login_errors’ filter that the iTSec plugin “Login Error Messages” setting hooks into ! So in theory it should work.

Only 1 extra line of code is executed when enabling the “Login Error Messages” setting:

if ( $this->settings['login_errors'] ) { //If "Login Error Messages" is enabled
	add_filter( 'login_errors', '__return_null' ); //Replace error msg with null
}

So in a vanilla WordPress login form an empty (red) notice will be displayed upon a failed login attempt. (Which I think is not very usefull because users can see something is wrong but get absolutely NO clue what is wrong). It would be better to display a generic error msg like:

ERROR: Invalid username, email address or incorrect password.

Anyway the WordPress login form seems to be able to deal with the filtered null value.

However I have my doubts whether the WooCommerce login form is able to deal with a null value for the error notice …

So as a simple test try this (The procedure below is UNTESTED so make sure you have a valid backup of the env before proceeding!):

1. Make a copy of the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file. At the end of the procedure this copy will be used to restore the original plugin file.
2. Edit the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file.
3. Search for the 3 lines of code pasted into this post at the beginning.
4. Replace the following line:

add_filter( 'login_errors', '__return_null' );

with:

add_filter( 'login_errors', array( $this, 'filter_login_error_cb' ) );

5. Add the function below as a new class function like this:

public function filter_login_error_cb() {
	return __( '<strong>ERROR</strong>: Invalid username, email address or incorrect password.' );
}

6. Save changes.
7. Log into the WordPress Dashboard and enable the “Login Error Messages” setting in the iTSec plugin WordPress Tweaks module. Save changes. Logout.
8. Clear the browser cache and retest the issue.

9. When testing is done delete the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file and restore it using the copy created in step 1.

• This reply was modified 7 years, 8 months ago by nlpro.
• This reply was modified 7 years, 8 months ago by nlpro.