[Defender] Defender pro brute force vulnerability

Hi . When someone tries to login to my site with combination of username and password , There is vulnerability . for example, when attacker enters incorrect username the error appear ( ERROR: Invalid username. ) and when he enters correct username and incorrect password the error is (ERROR: The password you entered for the username example is incorrect ) .That will make easier for the attacker to find out the correct username . My suggestion is to make login error ( incorrect username or password ) even if attacker enters the correct username .

  • Predrag Dubajic

    Hi Mustafa,

    This is actually a default WP behavior and it's not related to Defender, and it's part of the WP translation strings so it can be easily changed with our Ultimate Branding plugin and its text change module.
    You would need to replace these two strings:
    : Invalid username.
    : The password you entered for the username %s is incorrect.
    Use this instead and that will do the trick:
    : Incorrect username or password.
    The setup will look like this:

    Also, for additional security, you have Login Protection in Defender > IP Lockouts that will block IP when someone enters the wrong username and password X number of times in set time, and that will stop brute force attacks.

    There's also Two Factor Authentication in Defender > Advanced tools panel which will further improve the security of your account(s).

    Best regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.