Recently, a user reached out asking how to disable login suggestions in WordPress login error messages. By default, WordPress shows specific hints when someone enters an invalid username or password, potentially aiding attackers in guessing credentials. As experienced WordPress security experts, we'll guide you through hiding these hints to bolster your site's defenses.
During login attempts, if a user enters an incorrect username, WordPress displays a targeted error:
With a valid username but wrong password, it shows:
This confirms the username is correct, aiding brute-force attempts. Since WordPress 4.5, email logins are supported too, so these hints can reveal admin email addresses.
For everyday users, this may not seem critical, but for those prioritizing privacy and security—like high-profile sites or privacy-conscious admins—it's a vulnerability.
Best practices include unique usernames and strong passwords for admins. Check our beginner's guide to managing WordPress passwords for proven tips.
Let's hide these hints. We've prepared a video tutorial for visual learners:
Prefer text? Follow this step-by-step guide.
Add this code to your theme's functions.php file or a site-specific plugin:
function no_wordpress_errors() {
return 'Algo está mal!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );This filter replaces default error messages with your custom one, like "Something is wrong!" regardless of the input.
This simple tweak masks hints effectively. Note: It won't stop advanced attacks or brute-force floods.
For comprehensive protection, we rely on Sucuri across all our sites. Their firewall blocks suspicious traffic effortlessly. See how Sucuri stopped 450,000 WordPress attacks on our sites in just 3 months.
This should secure your login page. Explore our 13 tips to protect your WordPress admin area for more strategies.
Liked this? Subscribe to our YouTube channel for WordPress tutorials, and follow us on Twitter and Facebook.