Changing WordPress admin login error message

It can be surprising how easy it is to overlook security issues in software design. WordPress for example, after all the versions, still displays login error information that can be informative for a potential hacker. Rather than displaying a generic login error message, WordPress admin specifically displays whether a ‘username’ was entered wrong or a ‘password’ as the following screenshot shows.

This can be useful for a hacker to get the username right. A good idea is to display a generic message as given below.

You can easily achieve that by adding the following line to your themes ‘functions.php’ file.

add_filter('login_errors',
            create_function('$no_login_error', 
                            "return 'Oops! Wrong Credentials.';"));

The second argument to the ‘add_filter’ creates a anonymous callback function. This is equivalent to the following.

function no_login_error() {
    return 'Oops! Wrong Credentials.';
}
 
add_filter('login_errors','no_login_error');