artiss.blog

Improve your WordPress login security

Written by

David Artiss

in

,

on

| Time to read is

1–2 minutes

I’m a regular advocate of simple solutions to WordPress solution – enforcing 2FA, applying login limits, etc., rather than moving your login screen or various other practices which have dubious advantages.

Today I have another idea to share, which was suggested by a WordPress VIP customer, and it’s such a simple but effective idea – prevent login by email address.

Why? Because most brute force attempts are made via email, as they’re the login component that are often found in leaked data breaches. Instead, you must use your username to login.

The script was written by a colleague of mine, Cody Crady, and then I’ve refined it to make sure it meets various WordPress coding standard requirements. Just add it your functions.php file and hange text-domain to, well, your text domain for the error translation to work.

<?php
remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );
/**
* Disable logging in via email
*
* Check for and serve an appropriate response to users attempting to sign in with email.
*
* @param string $user If the user is authenticated.
* @param string $username Username or email address.
* @return string Authentication details
*/
function disable_email_login( $user, $username ) {
if ( ! empty( $username ) && filter_var( $username, FILTER_VALIDATE_EMAIL ) ) {
return new WP_Error( 'email_login_disabled', __( 'Logging in with email is disabled.', 'text-domain' ) );
}
return $user;
}
add_filter( 'authenticate', 'disable_email_login', 20, 3 );
?>
view raw functions.php hosted with ❤ by GitHub

Longer term, I’m looking at converting this into a plugin as, although this script works, it’s a bit rough-and-ready (the login screen still prompts for either a username or email address). I also have some further ideas for security improvements too, which I may roll into the same solution.

 

Tags:

Discover more from artiss.blog

Subscribe to get the latest posts sent to your email.

Comments

2 responses to “Improve your WordPress login security”

  1. avatar
    Anonymous

    That’s a great idea. I’d do the opposite and disable usernames, as I tend to use the same username everywhere but have wildcard emails for each of my sites.

    Reply
    1. David Artiss avatar
      David Artiss

      Although I suspect you’re a minority case, having that as an option is certainly something I’ll look at if/when I create a matching plugin.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.