fix: reword mixed-audience login failure notice to be informational#922
fix: reword mixed-audience login failure notice to be informational#922dknauss wants to merge 1 commit into
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Seeded demo: 3 failed verification attempts 5 minutes ago, shows the updated failure notice in context (no rate-limit error). Landing page: /wp-login.php?action=two_factor_notice_demo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
masteradhoc
left a comment
There was a problem hiding this comment.
Thanks for the PR @dknauss - LGTM. Can you check my two pending comments?
There was a problem hiding this comment.
Can you please remove this file?
There was a problem hiding this comment.
Correction to my note above: I've removed the Playground demo from this PR entirely rather than inlining it — a demo pointing at my fork branch is workflow-specific noise that doesn't belong in the PR body. The PR is now just the notice-wording change and its tests.
There was a problem hiding this comment.
Yes, done -- sorry about that. We've been playgrounding all the things, and Claude gets overzealous about it. Tried to fit in too many tasks that morning.
There was a problem hiding this comment.
Can we remove the changes on this file and rather move it to a separate PR?
There was a problem hiding this comment.
Removed — the package-lock.json change came from a Dependabot bump on the fork's master that had not yet landed in upstream. Rebasing the branch onto current upstream/master dropped it cleanly.
The previous notice used "WARNING:" and "If this wasn't you, you should reset your password." The reader has already entered the correct password, so the "if this wasn't you" framing is disorienting for the legitimate user (who likely mistyped a code) and the "reset your password" advice is wrong — the threat is to the second factor, not the password. New text is factual and defers action to after a successful login. Fixes WordPress#919
8ea2810 to
617594d
Compare
617594d to
2cb9233
Compare
Companion to PR #917 and PR #921. Fixes #919.
What changed
maybe_show_last_login_failure_notice()inclass-two-factor-core.php.Before:
After:
Why each change
Remove "WARNING:" — same rationale as PR #921: a severity prefix for a temporary informational notice is alarming and inappropriate.
Remove "If this wasn't you" — the notice is shown on the 2FA form, after the user has already entered the correct password. That reader is either the legitimate account owner (who mistyped a code) or someone who knows the password. Either way, "if this wasn't you" frames a known-password holder as a potential stranger to their own account, which is disorienting.
Remove "you should reset your password" — the failed attempts were 2FA failures, not password failures. Resetting the password doesn't protect an account whose password is already known. The appropriate action (review sessions, rotate 2FA credentials) belongs after login, so the new text says so.
"attempted to login … without providing a valid two factor token" → "failed verification code attempt on this account" — shorter, plain-language phrasing that doesn't require the user to parse "two factor token" to understand what happened.
Tests
Two tests updated/added (185 total, all passing):
test_maybe_show_last_login_failure_notice— updated string assertions to match new texttest_login_failure_notice_language_is_calm_and_informational— new test asserting absence ofWARNING,wasn't you, andreset your password; asserts presence offailed verification codeandreview your account securityNot addressed here
This notice is only shown when there is no rate-limit error already displayed (see the
elseifcondition inlogin_html()). The rate-limit error message itself was addressed in PR #921.Try it in Playground
Try this change in WordPress Playground — boots the 2FA login showing the reworded failure notice.