wp_authenticate_username_password
in wp-includes/user.php
and wp_check_password
in pluggable.php
I would advise against meddling with these though unless you’re removing the wordpress user authentification and putting your own in, e.g. http://wordpress.org/extend/plugins/simple-ldap-login/. For the best part, not using the admin username, making the first account a non super admin, not using wp_ database prefix, putting salt values in wp-config.php and setting up your folder permissions/htaccess correctly would do you far more good.
If a hacker has access to your encrypted password hashes, you’ve already lost the battle.
Related Posts:
- How can I password protect a WordPress site without requiring users to log in?
- How to invalidate `password reset key` after being used
- Is there any way to rename or hide wp-login.php?
- Increase of failed login attempts, brute force attacks? [closed]
- Check for correct username on custom login form
- How to fake a WordPress login?
- Brute force attack?
- Add Confirm Password field in wp-login.php Password Reset page
- Receiving “This content cannot be displayed in a frame” error on login page
- How to customise wp-login.php only for users who are setting a password for the first time?
- Give visitor access to password protected page/post via external script
- Send reset password link to user from custom lost password form
- Websites defaced by uploading script using theme editor
- Make wordpress admin failed login attempt return 401
- How can I retrieve the username and password from my WordPress installation?
- password protect individual pages
- Problem with logging in WP users automatically
- WordPress login urls
- How to determine if a user has not changed default generated password
- Store brute-force IP addresses
- Right practice to edit WP reset password email
- How to create a private login page for admin.?
- WordPress Security – How to block alternative WordPress access
- Protecting WordPress login page
- wp-admin folder, brute force, and password protection
- Sniffing wordpress user’s credentials
- Private page protected with username and password
- reset password link redirect to login page
- Password protect media attachment – share across guests
- Password reset – Disabled for LDAP accounts
- Why wp_update_user doesn’t update user_activation_key on users with apostrophes in their email?
- Forgot Password/ Password Reset Page does not exist
- Correct passwords keep appearing as incorrect
- disable site_url redirect in wp-login.php
- Forgot password needs to redirect from wp-login to a custom page
- Reset Password policy
- How can I change the email sender name from wordpress to (myblogname) on the “lost password” email?
- Does WordPress (or a plugin) reveal login credentials to admin?
- Is wp_login_form secure on a non secure page?
- How to password-protect everything except the logo
- WordPress login security
- Why isn’t the login page rate limited by default?
- Is there anyway to get the inputted password string from the login form?
- Input sanitation
- How to Prevent Brute Force Attack on WordPress
- Password not resetting on wordpress?
- Advice on redirect to lock site from unauthorized users
- autocomplete=”off” WordPress Login
- WordPress not logged in locally with correct username and password
- wordpress login without password just email address (NO 2 factor authentication with email)
- Where is the php file, that does the checks for login information?
- Error on WordPress Login
- Access log “POST /wp-login.php HTTP/1.0” 400
- Can I protect a type of content site-wide with a single password?
- Password recovery URL has error – but not found in code or db
- force login loophole
- Temporally disable password to login with empty password?
- How to create separate login for authors/moderators/subscribers?
- Login form does not store/remember/suggest users password
- WordPress password reset not working
- New user password confirmation sending wrong URL
- Locked out of WordPress admin area [closed]
- Global login to password protected pages
- Disable / Remove Password for Login WordPress
- How to password protect pages in WordPress
- Site is not loading after relogin attempts on SSL
- Chosen user password in registration is not being accepted on Login
- Some crawlers/bots attempting to login with very good guesses. How?
- User login without username, only password
- wp_lostpassword_url not escaped
- Hide wp-login.php but not the widget
- Trouble logging in and/or changing password
- Cannot login with correct username and password anymore
- How login is possible, if I deny login page via nginx?
- Cant login, Password MUST be reset error, after reset
- Log in a user upon password reset?
- Removing username from the ‘wordpress_logged_in’ cookie
- Login redirect_to loop with reauth=1, cookie expiry set to 1 year in past
- Making a client page
- Show reCaptcha on Custom Frontend Login & Register Form [closed]
- Auto Login After Registration
- Is the login encrypted before it is sent? If so how to do I encrypt it the same way?
- What speaks against using a custom login.php / register.php to wordpress?
- WordPress login doesn’t work when using preview domain
- Prevent Subscriber Role to login
- Login user using wp_signon and WP_User object
- Login failed after cloning live wordpress site to local wampserver
- Get WordPress login functions without printing anything
- woocommerce store login not working at first time
- How is it possible to current user info on page in WordPress?
- Trouble when I try to connect to WordPress
- Login/password protected “client page”
- Set logged in user based on API response
- Webpage not found upon entering wrong username and password on custom login form?
- Redirect after user changes password
- WordPress Login Box horizontal at the top.
- How to make WordPress keep me signed in? [duplicate]
- Directory to store secure file
- Can you alter the default wordpress strong password requirements?
- Login and register by API