[wp-trac] [WordPress Trac] #25446: Return HTTP status code 401 upon failed login
WordPress Trac
noreply at wordpress.org
Wed Aug 13 14:36:47 UTC 2025
#25446: Return HTTP status code 401 upon failed login
--------------------------------------------------+----------------------
Reporter: raoulbhatia | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Login and Registration | Version: 3.6
Severity: normal | Resolution: wontfix
Keywords: dev-feedback needs-patch 2nd-opinion | Focuses:
--------------------------------------------------+----------------------
Comment (by smartysmart34):
Replying to [comment:23 dejayc]:
> Perhaps I'm missing something, but isn't it sufficient to setup fail2ban
to look out for HTTP POST requests to wp-login that result in HTTP STATUS
CODE 200?
>
> POST is only generated by the browser when it submits a login attempt -
all other requests are GET.
>
> And 200 is only generated by the server in the event of login failure -
success results in 301.
I know this is ancient but the comment about 200 is just not true in case
you are using 2FA. When a succesfull Login transitions to the 2FA screen,
this is a HTTP 200 and as such 2FA renders Fail2Ban worthless which is a
pain.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25446#comment:30>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list