Skip to content

fix: reword mixed-audience login failure notice to be informational#922

Open
dknauss wants to merge 1 commit into
WordPress:masterfrom
dknauss:ux/notice-mixed-audience
Open

fix: reword mixed-audience login failure notice to be informational#922
dknauss wants to merge 1 commit into
WordPress:masterfrom
dknauss:ux/notice-mixed-audience

Conversation

@dknauss

@dknauss dknauss commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Companion to PR #917 and PR #921. Fixes #919.

What changed

maybe_show_last_login_failure_notice() in class-two-factor-core.php.

Before:

WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn't you, you should reset your password.

After:

%1$s failed verification code attempts on this account. The last attempt was %2$s ago. If you did not make these attempts, review your account security after logging in.

Why each change

Remove "WARNING:" — same rationale as PR #921: a severity prefix for a temporary informational notice is alarming and inappropriate.

Remove "If this wasn't you" — the notice is shown on the 2FA form, after the user has already entered the correct password. That reader is either the legitimate account owner (who mistyped a code) or someone who knows the password. Either way, "if this wasn't you" frames a known-password holder as a potential stranger to their own account, which is disorienting.

Remove "you should reset your password" — the failed attempts were 2FA failures, not password failures. Resetting the password doesn't protect an account whose password is already known. The appropriate action (review sessions, rotate 2FA credentials) belongs after login, so the new text says so.

"attempted to login … without providing a valid two factor token" → "failed verification code attempt on this account" — shorter, plain-language phrasing that doesn't require the user to parse "two factor token" to understand what happened.

Tests

Two tests updated/added (185 total, all passing):

  • test_maybe_show_last_login_failure_notice — updated string assertions to match new text
  • test_login_failure_notice_language_is_calm_and_informational — new test asserting absence of WARNING, wasn't you, and reset your password; asserts presence of failed verification code and review your account security

Not addressed here

This notice is only shown when there is no rate-limit error already displayed (see the elseif condition in login_html()). The rate-limit error message itself was addressed in PR #921.

Try it in Playground

Try this change in WordPress Playground — boots the 2FA login showing the reworded failure notice.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: dknauss <dpknauss@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

dknauss added a commit to dknauss/two-factor that referenced this pull request Jul 3, 2026
Seeded demo: 3 failed verification attempts 5 minutes ago,
shows the updated failure notice in context (no rate-limit error).

Landing page: /wp-login.php?action=two_factor_notice_demo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@masteradhoc masteradhoc left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @dknauss - LGTM. Can you check my two pending comments?

Comment thread playground/blueprint.json Outdated

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please remove this file?

@dknauss dknauss Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correction to my note above: I've removed the Playground demo from this PR entirely rather than inlining it — a demo pointing at my fork branch is workflow-specific noise that doesn't belong in the PR body. The PR is now just the notice-wording change and its tests.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, done -- sorry about that. We've been playgrounding all the things, and Claude gets overzealous about it. Tried to fit in too many tasks that morning.

Comment thread package-lock.json

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the changes on this file and rather move it to a separate PR?

@dknauss dknauss Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed — the package-lock.json change came from a Dependabot bump on the fork's master that had not yet landed in upstream. Rebasing the branch onto current upstream/master dropped it cleanly.

The previous notice used "WARNING:" and "If this wasn't you, you should
reset your password." The reader has already entered the correct password,
so the "if this wasn't you" framing is disorienting for the legitimate
user (who likely mistyped a code) and the "reset your password" advice
is wrong — the threat is to the second factor, not the password.

New text is factual and defers action to after a successful login.

Fixes WordPress#919
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Failed-attempt warning addresses two mutually exclusive audiences simultaneously

2 participants