[wp-trac] [WordPress Trac] #10006: Lost Password Requests -
 Hardening WordPress
    WordPress Trac 
    wp-trac at lists.automattic.com
       
    Tue Jun  2 10:25:04 GMT 2009
    
    
  
#10006: Lost Password Requests - Hardening WordPress
-------------------------+--------------------------------------------------
 Reporter:  neoxx        |       Owner:  ryan                         
     Type:  enhancement  |      Status:  new                          
 Priority:  normal       |   Milestone:  Unassigned                   
Component:  Security     |     Version:  2.8                          
 Severity:  normal       |    Keywords:  login, security, lostpassword
-------------------------+--------------------------------------------------
 hi,
 just a security thought. - as i have a public authors list on my blog, an
 attacker could easily use this list to bother my users with password-reset
 mails.
 fortunately, we have the lostpassword_post hook, thus i'm able to redirect
 all lost-password request, which are not based on registered e-mail
 addresses, to wp-login.php?action=lostpassword. nevertheless, to avoid
 confusing my users, i still need to manually change the messages in wp-
 login.php from '*username or e-mail*' to only '*e-mail*'.
 to summarize, it would be helpful to have a filter for these messages...
 greetz,
 berny
-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10006>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list