How to Disable Login Hints in WordPress Error Messages (2023)

Hey there, WordPress user! Today we‘re diving deep into a small change you can make to your site that has a big impact on security. I‘ll be walking you through exactly how to disable those pesky login hints in your WordPress error messages.

Navi.

Now, you might be thinking, "Login hints? What‘s the big deal?" I get it. It seems like such a minor thing. But here‘s the scary truth: those little messages that say "Invalid username" or "The password you entered for the user X is incorrect" when someone fails a login attempt are basically a blueprint for hackers.

Think about it – a malicious actor could enter a bunch of common usernames or emails on your login page. Simply based on the error messages, they can figure out which usernames/emails are valid on your site. In fact, according to a recent study by WP White Security, brute force attacks are the most common type of WordPress hack, accounting for over 40% of incidents.

Once a hacker has a valid username, they‘re halfway to gaining unauthorized access. All they have to do is guess the password. And with powerful tools at their disposal, that‘s easier than you might think.

Hackers use bots to automate this process, systematically attempting different username and password combinations. It‘s called a brute force attack. The less information you give them to work with, the better. That‘s where disabling login hints comes into play.

How to Disable Login Hints in WordPress

So how do you implement this security measure on your WordPress site? Good news – it‘s actually pretty simple. You‘ve got two options:

Option 1: Add Code Snippet

The first method is to add a code snippet to your theme‘s functions.php file or via a plugin.

Here‘s the code you‘ll need:

function no_wordpress_errors(){
  return ‘Error: Incorrect login details.‘;
}
add_filter( ‘login_errors‘, ‘no_wordpress_errors‘ );

This snippet replaces WordPress‘ default error messages with a generic one that doesn‘t reveal any sensitive info.

To add it to functions.php:

Go to Appearance > Theme Editor in your WordPress dashboard
Select the Theme Functions (functions.php) file on the right
Paste the snippet at the bottom
Click Update File

If you‘d rather not edit your theme files directly (generally a good call – one misstep can break your site), you can use a plugin like Code Snippets or WPCode. With these, you simply paste in the snippet and activate it. Easy peasy!

Option 2: Use a Security Plugin

Many WordPress security plugins have an option to hide login hints baked right in. Some popular ones are:

Wordfence
Sucuri Security
iThemes Security
All In One WP Security & Firewall

If you‘re already using one of these to lock down your site, go to its settings and look for a feature related to login hints or error messages. Switch it on, and you‘re good to go!

Customizing the Error Message

See that ‘Incorrect login details‘ message in the code snippet? That‘s what will display instead of the default hints.

Feel free to customize it to something else. Just make sure it‘s generic and doesn‘t give away any hints about valid usernames or passwords. Even something like "Oops! That didn‘t work. Please try again." does the trick.

The key is to avoid messages like:

The username you entered isn‘t registered
The password you entered for the username X is incorrect
The email address isn‘t associated with an account

All of these reveal that part of the login attempt (the username or email) was correct. Your custom message should stay vague.

Testing It Out

After you‘ve implemented the change, it‘s always smart to test it out. Head to your login page and intentionally enter the wrong username and password. If you see your custom error message instead of the default ones, it worked!

Why Bother With This At All?

At this point you might be thinking, "Is this really necessary? Aren‘t there bigger fish to fry when it comes to WordPress security?" And sure, in the grand scheme of things, disabling login hints is a pretty small measure.

But here‘s the thing – every little bit helps. It‘s like locking your car doors. Will it stop a determined thief with tools? Probably not. But it stops opportunistic passersby from simply opening the door and grabbing your stuff.

Same principle with login hints. Hiding them makes hackers‘ lives harder. They‘ll have to put in a lot more guesswork (or find another method entirely) to get a foot in the door.

Plus, it‘s so quick and easy to do, there‘s really no reason not to. It‘s a small configuration change that removes some low-hanging fruit for bad actors.

What Else Can You Do to Beef Up Login Security?

Disabling login hints is a great start, but there‘s more you can do to fortify the login process:

1. Limit Login Attempts

By default, WordPress allows unlimited login attempts. That‘s a brute force attacker‘s dream! Limiting failed attempts (and temporarily blocking users who exceed that limit) majorly cuts down their chances of getting in.

There are plugins dedicated solely to this, like Login Lockdown or WP Limit Login Attempts. Most security plugins also include this feature.

2. Enable Two-Factor Authentication

2FA adds an extra step to the login process. In addition to a username and password, users must enter a code from an app or email to get access.

This makes it way harder to hack an account, even if the password is compromised. According to Microsoft, 2FA can prevent 99.9% of account hacks.

3. Enforce Strong Passwords

The easier a password is to guess, the quicker a brute force attack will crack it. Avoid common words and phrases. Use a random mix of uppercase and lowercase letters, numbers, and special characters. Make it long, too – 12 characters minimum!

Check out this eye-opening table of the most common passwords of 2021:

Rank	Password
1	123456
2	123456789
3	12345
4	qwerty
5	password

If any of your users‘ passwords are on there…yikes. Time for a change!

You can enforce strong passwords in WordPress via plugins. Some will assess password strength in real-time, warning users creating an account when their password is too weak.

4. Change the Login URL

By default, your WordPress login page lives at yourdomain.com/wp-login.php. Hackers know this, so it‘s an obvious target.

Changing it to something custom both hides it from attackers and prevents bots from automatically hitting that URL.

You can do this manually by editing the .htaccess file or wp-login.php file, but a plugin makes it much easier (and safer). WPS Hide Login is a great option.

5. Use a WordPress Security Plugin

We touched on these earlier as an easy way to disable login hints. But they do so much more!

From firewalls to malware scanning to login protection, a good security plugin is a must for every WordPress site.

Some of the most reputable ones are:

Sucuri Security
Wordfence Security
iThemes Security
Jetpack Security

The Bottom Line on WordPress Security

At the end of the day, your WordPress site‘s security is your responsibility. It‘s up to you to put proper measures in place (and keep them up to date as threats evolve).

Disabling login hints is a small piece of that puzzle, but an important one. By hiding those messages, you make it that much harder for unauthorized users to get their hands on a valid username – and without that, they can‘t get in.

So take a few minutes to implement this change on your site. Encourage your fellow WordPressers to do the same. The more we all prioritize security, the safer the whole ecosystem will be.

Thanks for reading, and stay safe out there!