Try logging into your WordPress site with a username that doesn’t exist. WordPress says: “The username X is not registered on this site.”
Now try a real username with a wrong password. WordPress says: “The password you entered for the username X is incorrect.”
Two different messages. Two pieces of intelligence. An attacker now knows which usernames are valid without needing to guess both username and password simultaneously.
What’s the problem with login error messages?
WordPress differentiates between “unknown username” and “wrong password” errors by default. This is a user-experience choice — it helps legitimate users understand what went wrong. But it’s also an information leak that helps attackers.
With specific error messages, an attacker can: first enumerate valid usernames (trying common ones until the error changes from “not registered” to “incorrect password”), then focus brute force efforts on those confirmed accounts.
The quick fix
// Replace login error messages with a generic message
add_filter( 'login_errors', function() {
return 'The login credentials you entered are incorrect. Please try again.';
});One filter. Both error types now show the same generic message. Attackers can’t distinguish between invalid usernames and wrong passwords.
The one-click solution
OvKit includes Hide Login Errors under Features → Security. One toggle replaces all login error specifics with a single generic message.
What happens after you fix this?
- All login errors show the same message — no username confirmation
- Brute force attackers can’t enumerate usernames via error differences
- Legitimate users still know they entered wrong credentials — just not which field was wrong
FAQ
### Won’t this frustrate legitimate users?
Slightly. They won’t know if they mistyped their username or password. But the trade-off is worth it — most users know their username and are just mistyping the password. For the few who forget their username, the “Lost your password?” link works regardless.
### Should I combine this with hiding the login page?
Yes. Generic error messages + hidden login URL + login attempt limiting = comprehensive login protection. Each layer addresses a different attack vector.
### Does this affect the password reset flow?
No. The “Lost your password?” functionality works independently. WordPress’s password reset deliberately doesn’t confirm whether an email exists (for the same security reason).
Related reads: