Building a WordPress Site?Learn WP From Scratch
Wordpress Hosting
The Important Tutorials
Create a Wordpress Theme
View All Tutorials
wordpress snippets

Remove WordPress Login Errors

Last modified: May 28, 2026

Snippets
Fiverr freelancers

By default, WordPress gives specific feedback on the login page when credentials fail. Type a username that doesn’t exist and you’ll see “Invalid username.” Enter the right username but wrong password and you’ll see “The password you entered for the username admin is incorrect.” While this is helpful for users who mistype their credentials, it gives attackers a roadmap: they can tell whether they need to keep guessing passwords or switch to a different username entirely.

Replacing these specific messages with a single, vague response is a low-effort security measure that removes a free information source from brute force attacks and username enumeration tools.

Why WordPress Login Errors Are a Security Risk

WordPress login pages attract constant automated attacks — scripts that cycle through username and password combinations until one works. Most start with common usernames like “admin,” “administrator,” or the site owner’s first name.

When WordPress confirms “Invalid username,” the script knows to try different usernames. When it returns “The password you entered for admin is incorrect,” it has confirmed the username and can switch entirely to password guessing. Removing that distinction makes the attacker work harder on both fronts simultaneously, rather than being able to narrow the attack one variable at a time.

What WordPress Shows by Default

Here are the specific messages WordPress displays on failed logins:

  • “Invalid username.” — tells the attacker this username doesn’t exist in the database
  • “The password you entered for the username ‘admin’ is incorrect.” — confirms the username exists and even displays it in the message
  • “Error: The password you entered for the email address is incorrect.” — same pattern, via email-based login

All three variants leak useful information. The fix replaces them all with a single non-specific message regardless of which field was wrong.

Method 1: Add a Filter to functions.php

Add this code to your theme’s functions.php file, or better yet, to a small site-specific plugin so the change survives theme updates:

function no_wordpress_errors(){
  return 'Wrong information - please try again';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

The login_errors filter intercepts the error message WordPress is about to output and replaces it with your custom string. The message “Wrong information – please try again” is vague enough to give no useful signal to an attacker while still telling a real user that something went wrong.

Note: some versions of this snippet also include add_filter( 'auto_update_plugin', '__return_true' ); which forces automatic plugin updates site-wide. That line is unrelated to login errors — leave it out unless you specifically want auto-updates enabled for all plugins.

Choosing a Replacement Message

The message you return from the login_errors filter matters. A poorly written replacement can be nearly as informative as the original, or confuse real users into thinking the site is broken.

Good replacement messages:

  • “Wrong information – please try again.” (simple, neutral, actionable)
  • “The username or password you entered is incorrect. Please try again.” (slightly longer, still non-specific)
  • “Login failed. Please check your credentials and try again.” (professional, no detail about which field failed)

What to avoid:

  • Any message that mentions “username” and “password” separately — if the message differs based on which one was wrong, you’ve recreated the original problem
  • Overly cryptic messages like “Error 403” — real users won’t know what to do
  • Messages so generic that users don’t know a login attempt failed at all

Since WordPress applies the same filter for all login error types, your function receives the existing error HTML as its first argument. You can ignore it entirely and return your own string, or inspect it if you want to log failures server-side while still showing a clean message to the user.

Method 2: Use a Plugin

If you’d prefer not to edit PHP directly, several security plugins handle login error suppression as a built-in feature:

  • WPS Hide Login — changes your login page URL and removes login error messages. Lightweight, free, and widely used. After activating, go to Settings and set a custom login path. Error messages are suppressed automatically.
  • Limit Login Attempts Reloaded — rate-limits login attempts and can suppress specific error messages after repeated failures. Adds lockout functionality to complement the message hiding. Configure the lockout threshold in Settings to block IPs after 3-5 failed attempts.
  • Wordfence Security — comprehensive security plugin that handles login protection, brute force blocking, and error message control in one package. After activating, go to Wordfence, then Login Security, and enable “Don’t let WordPress reveal valid users in login errors.” This suppresses username enumeration via the login form. Heavier than the other two but covers far more ground.

All three are available free in the WordPress plugin repository. After installing and activating, look for “login error messages,” “login security,” or “brute force” in the plugin settings to find the relevant toggle.

Testing Your Changes

After adding the filter or activating a plugin, test the result:

  1. Open your WordPress login page in a private or incognito browser window
  2. Enter a username that doesn’t exist — you should see your custom message, not “Invalid username”
  3. Enter a valid username with the wrong password — you should see the same custom message, not one that names the username
  4. Try completely wrong credentials — same generic message should appear for all cases

If you still see the default WordPress messages after adding the code, check that the code was saved correctly in functions.php and that your active theme is the one you edited. You can also verify by going to Appearance → Theme File Editor → functions.php in your WordPress dashboard to confirm the function is present.

One more thing worth checking: some caching plugins serve cached versions of the login page, which can make it look like the filter isn’t working. Clear your cache after making the change and test again.

Show More

* This button will show the rest of the post and open up an offer from a vendor

Final Word: Remove WordPress Login Errors

Hiding WordPress login error messages is one of the smallest changes you can make for a measurable security improvement. A single filter function in functions.php – or a quick plugin install – stops your login page from telling attackers whether they guessed the wrong username or wrong password. It won’t stop a determined attacker on its own, but paired with strong passwords, two-factor authentication, and login rate limiting, it removes one more free information source from the brute force toolkit. If you do get locked out and the password reset email doesn’t arrive, our guide on resetting your WordPress password without email covers the phpMyAdmin and functions.php recovery methods.

Related Posts

wordpress snippets
Limit WordPress Search to Posts Only
wordpress snippets
Remove Core, Theme & Plugin Updates
wordpress snippets
Add ACF Data to wp_search
wordpress snippets
Disable Posts in WordPress
Save 4 Later
Email liked links to yourself

    Offers & Promos

    Website Maintenence Website Maintenance – Use Promocode: scanwp Jet plugins for Elementor Advanced JetPlugins for Elementor semrush Semrush 14 days trial Kinsta Kinsta – Managed WordPress Hosting bluehost hosting Bluehost Hosting

    Stay Updated with WordPress Insights

    Get the latest WordPress tips, theme reviews, and industry deals delivered to your inbox.