[wp-trac] [WordPress Trac] #63936: wordpress return http200 instead of 401 on login error
WordPress Trac
noreply at wordpress.org
Fri Sep 5 16:20:07 UTC 2025
#63936: wordpress return http200 instead of 401 on login error
------------------------------------+-----------------------------
Reporter: aqueos | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.8.2
Severity: normal | Keywords:
Focuses: sustainability |
------------------------------------+-----------------------------
hi,
in case of auth error wordpress return a http code of 200 instead of 401
(unauthorised) or 403 but 401 is more fitting.
I guess this is to use "security by obscurity" but the thousands of bots
par hour pilling my server's wp-login.php show this has no effect at tall
on the obscurity side of things. It also prevent fail2ban filter or home
made filter to block abuser ip easely.
So i think this would greatly benefit to return the appropriate http
code in case of a bad login/pass or auth result in wordpress.
best regards,
Ghislain.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63936>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list