WordPress Login Hints: Helpful or Hacker Bait?

When a user fails to log into your WordPress website, by default the site will give them one of two hints. It will either tell the failed login typer that their username is unknown to your database or that the password does not match the username. It’s not hard to understand why this feature was added. Each person can have dozens of online accounts and it can be hard to keep all of one’s logins properly memorized. It’s all too easy to mis-type your username (and then completely miss that it is misspelled over and over) and even easier to accidentally type in the password for your other favorite WordPress site.

For your users, login hints can be helpful. But is that help worth the cost of also offering those hints to hackers? Generally, not. WordPress defaults are rarely secure. When you can build your own secure website, these password security problems are easily solved.

Login Hints are a Hacker’s Best Friend

Hackers often crack accounts with a process of guess-and-check. They have stolen or purchased login credentials for a particular username or email address and are now trying to invade other sites that the person frequents using what is assumed to be their favorite password.

When that login hint pops up, it’s all the troubleshooting data a login-cracking hacker needs to try again. They may learn that a targeted user likes to change up their username but a little research may reveal the right username to use with their stolen password. Or they may realize that they have the wrong password for this account and start trying variations. Which may work.

Login hints are not nearly as helpful to your users as they are to hackers. On the other hand, you can’t exactly leave your users high and dry when they have genuinely forgotten their login. Fortunately, you and your users have a few options. One of the best is transitioning to a secure website framework that can support more sophisticated login security.

A More Personal Login Hint Alternative

One option is to follow in Google’s footsteps by offering your users a more personalized login hint than simply saying that the username or password is incorrect. Google has been letting failed-login users know the last date they changed their password, and even this can be improved for greater personalization and security.

Change the wording and let your users know when the last time was they updated their ‘login credentials’. Remember, don’t indicate if it was username or password that was incorrect. You might even allow users to pick a specific phrase when they do change their login credentials that they want to see as a reminder.

Do not let users write their own password reminders, or they will likely give away the game without thinking. Instead, let them choose from a selection of interesting phrases. Then, instead of any kind of reminder, when a login fails send them a message like

“On January 5th, You Chose ‘Roses are Red, Violets are Blue’ as your Login Reminder”. Hackers will have no idea what to do with this, except perhaps conclude that login credentials were changed to some new mysterious setting on January fifth.

Quickly Offer Login Recovery

The classic approach, of course, is to quickly encourage a failed login attempter to connect via email or phone for login recovery procedures. Here, there is usually a little security run-around where the user must first enter their email to be sent their username, then use their username to reset their password.

This is, to date, the most secure way to give your users back their complete login credentials because they have to both know their email address or phone number, and have access to the recovery inbox to recover their account. No matter how you structure your username and password recovery, access to the right phone or the right email address is the best way to ensure that you are dealing with the real user and not a hacker using their credentials. This does not, of course, account for incredibly thorough hackers who steal an email address or phone first. To protect yourself from the most proactive rank of hackers, you need a secure website infrastructure beyond what WordPress can offer.

Initiate Second-Factor Authentication for Login Recovery

Another interesting alternative to classic recovery methods is to use two-factor authentication in login credential recovery. Instead of the traditional security questions, which can be found and stolen from other websites, consider creating something unique that only your users would remember and be able to replicate. Perhaps permit them to more quickly recover their accounts if they can recreate a specific dot-grid drawing, tap out the notes to an unnamed song, or pick out a photo that represents a security question answer in their mind that they chose a long time ago.

To keep these second-factor authentication methods fresh in user minds, you may also want to pair this technique with pop-up refresher games while users are logged in, or as spontaneous second-factor login requests on their way through a normal authorized login.

Using a second-factor method, you can more quickly help users prove their authenticity and help them recover their usernames and passwords.

Never Reveal the Old Password

We’ll wrap up on a word of warning. If you do choose to get creative with your login hints or account reclaiming methods, any WordPress user/developer has a right to do, just remember the fundamentals. One of the keys to the classic account reclaiming path is that users who have forgotten their previous password never sees that password again. The old password is never printed, never counted out in dots, and never directly hinted at. This ensures that if a hacker attempts to engage in account recovery or even manages to read their texts or emails that one of the user’s existing passwords can never be revealed.

Login hints which are provided by WordPress default are not a good idea and should be disabled. But there are other ways to help your users recover their accounts while simultaneously thwarting hackers that are a much better solution. Use creative and non-descriptive reminder tips, offer immediate recovery options, consider a two-factor authentication style before enabling account recovery, and be sure to always require access to a private account or device before allowing access after a failed login. Unless, of course, the user has a forehead-slapping moment and suddenly remembers their password. In which case, all is well. For more cybersecurity best practices or a managed IT security team, contact us today!