Generic Login Errors
Generic Login Errors shows one polite message for every failed credential check so attackers cannot tell whether the username or the password was wrong - a simple anti-enumeration hardening step for the login screen and related auth paths.
What it does
Section titled “What it does”WordPress normally uses different messages for unknown users vs wrong passwords. When this module is enabled, it:
- Replaces credential-failure messages with one generic string you control.
- Covers multiple surfaces -
wp-login.php, WooCommerce login, XML-RPC authentication, and PowerSuite 2FA AJAX login. - Leaves other notices alone - empty fields, lockouts, session expired, 2FA prompts, and similar non-credential errors stay as they are.
- Normalizes errors early on the
authenticatefilter, then again on display filters as a safety net.
Default message: “Invalid username or password.”
When to use it
Section titled “When to use it”Enable it if:
- You’re hardening login against username fishing / enumeration via error text.
- You want one clear, brand-safe message for bad credentials.
- You run WooCommerce or XML-RPC auth and want the same behavior there.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”Open the module’s Settings under WP PowerSuite -> Modules -> Generic Login Errors:
| Setting | Purpose | Default |
|---|---|---|
Generic Error Message (generic_error_message) |
Text shown for unknown user or wrong password. Max 500 characters. | Invalid username or password. |
How to enable it
Section titled “How to enable it”- In WordPress admin, go to WP PowerSuite -> Modules.
- Filter by Login & Users or search for “Generic Login Errors”.
- Turn the module’s toggle on.
- Open Settings, optionally edit the message, and save.
To undo it, toggle the module off - WordPress’s default distinct messages return.
How to test it
Section titled “How to test it”- On
wp-login.php, try a wrong password for a real user, then a made-up username. ✅ Working: both show the same generic message. - ❌ Not working: WordPress still says the username doesn’t exist vs incorrect password.
If you use WooCommerce, repeat on the My Account login form. Confirm lockouts / 2FA still show their own messages when those modules are active.
Troubleshooting
Section titled “Troubleshooting”- Different messages still appear for bad user vs bad password. Confirm the module is enabled and saved. Clear any page cache on the login URL.
- Conflicts with Login ID Type. If Login ID Type is username-only or email-only, the settings screen warns you - switch Login ID Type to username + email, or disable one of the two modules.
- Lockout or 2FA text changed unexpectedly. Those should be untouched. If a third-party plugin rewrites
login_errors, check that plugin’s settings. - Custom LMS/membership forms still leak details. Those forms may need to opt in via the
wp_powersuite_is_credential_login_requestfilter (see Developer notes).
Does a generic login error stop username enumeration?
It stops credential failures from revealing whether the username or password was wrong. Lockouts, empty fields, 2FA, and other non-credential notices stay unchanged.
Which login forms does Generic Login Errors cover?
wp-login.php credential failures, WooCommerce My Account login, XML-RPC auth, REST-related credential paths the module hooks, and PowerSuite 2FA AJAX login.
Can I customize the generic error text?
Yes. Set Generic Error Message in the module settings. The default is "Invalid username or password." Messages are capped at 500 characters.
Should I use this with Login ID Type?
Avoid combining it with Login ID Type in username-only or email-only mode - both rewrite login errors. Prefer this module alone, or Login ID Type in username + email mode.
Developer notes (hooks & filters)
Source: modules/custom-login-error-messages/module.php. Boots on the critical tier. Context: frontend, ajax, rest. Display name in meta: Generic Login Errors.
authenticate(priority 99) - anonymizes credentialWP_Errors early viaCredentialErrorNormalizer.wp_login_errorsandlogin_errors- display-layer normalization; preserves lockout markup containingwpps-lockout-message.woocommerce_process_login_errorswhen WooCommerce is active.wp_powersuite_ajax_login_generic_messagefor PowerSuite 2FA AJAX login.- XML-RPC: registers filters when
XMLRPC_REQUESTis defined. - Third-party forms can opt in with
wp_powersuite_is_credential_login_request(used byLoginRequestDetector).
Replaced credential codes become a single invalid_username_or_incorrect_password error with your configured text.