Skip to content

Generic Login Errors

Generic Login Errors shows one polite message for every failed credential check so attackers cannot tell whether the username or the password was wrong - a simple anti-enumeration hardening step for the login screen and related auth paths.

WordPress normally uses different messages for unknown users vs wrong passwords. When this module is enabled, it:

  • Replaces credential-failure messages with one generic string you control.
  • Covers multiple surfaces - wp-login.php, WooCommerce login, XML-RPC authentication, and PowerSuite 2FA AJAX login.
  • Leaves other notices alone - empty fields, lockouts, session expired, 2FA prompts, and similar non-credential errors stay as they are.
  • Normalizes errors early on the authenticate filter, then again on display filters as a safety net.

Default message: “Invalid username or password.”

Enable it if:

  • You’re hardening login against username fishing / enumeration via error text.
  • You want one clear, brand-safe message for bad credentials.
  • You run WooCommerce or XML-RPC auth and want the same behavior there.

Open the module’s Settings under WP PowerSuite -> Modules -> Generic Login Errors:

Setting Purpose Default
Generic Error Message (generic_error_message) Text shown for unknown user or wrong password. Max 500 characters. Invalid username or password.
  1. In WordPress admin, go to WP PowerSuite -> Modules.
  2. Filter by Login & Users or search for “Generic Login Errors”.
  3. Turn the module’s toggle on.
  4. Open Settings, optionally edit the message, and save.

To undo it, toggle the module off - WordPress’s default distinct messages return.

  • On wp-login.php, try a wrong password for a real user, then a made-up username. ✅ Working: both show the same generic message.
  • ❌ Not working: WordPress still says the username doesn’t exist vs incorrect password.

If you use WooCommerce, repeat on the My Account login form. Confirm lockouts / 2FA still show their own messages when those modules are active.

  • Different messages still appear for bad user vs bad password. Confirm the module is enabled and saved. Clear any page cache on the login URL.
  • Conflicts with Login ID Type. If Login ID Type is username-only or email-only, the settings screen warns you - switch Login ID Type to username + email, or disable one of the two modules.
  • Lockout or 2FA text changed unexpectedly. Those should be untouched. If a third-party plugin rewrites login_errors, check that plugin’s settings.
  • Custom LMS/membership forms still leak details. Those forms may need to opt in via the wp_powersuite_is_credential_login_request filter (see Developer notes).
Does a generic login error stop username enumeration?

It stops credential failures from revealing whether the username or password was wrong. Lockouts, empty fields, 2FA, and other non-credential notices stay unchanged.

Which login forms does Generic Login Errors cover?

wp-login.php credential failures, WooCommerce My Account login, XML-RPC auth, REST-related credential paths the module hooks, and PowerSuite 2FA AJAX login.

Can I customize the generic error text?

Yes. Set Generic Error Message in the module settings. The default is "Invalid username or password." Messages are capped at 500 characters.

Should I use this with Login ID Type?

Avoid combining it with Login ID Type in username-only or email-only mode - both rewrite login errors. Prefer this module alone, or Login ID Type in username + email mode.

Developer notes (hooks & filters)

Source: modules/custom-login-error-messages/module.php. Boots on the critical tier. Context: frontend, ajax, rest. Display name in meta: Generic Login Errors.

  • authenticate (priority 99) - anonymizes credential WP_Errors early via CredentialErrorNormalizer.
  • wp_login_errors and login_errors - display-layer normalization; preserves lockout markup containing wpps-lockout-message.
  • woocommerce_process_login_errors when WooCommerce is active.
  • wp_powersuite_ajax_login_generic_message for PowerSuite 2FA AJAX login.
  • XML-RPC: registers filters when XMLRPC_REQUEST is defined.
  • Third-party forms can opt in with wp_powersuite_is_credential_login_request (used by LoginRequestDetector).

Replaced credential codes become a single invalid_username_or_incorrect_password error with your configured text.