wp_authenticate_username_password in wp-includes/user.php and wp_check_password in pluggable.php
I would advise against meddling with these though unless you’re removing the wordpress user authentification and putting your own in, e.g. http://wordpress.org/extend/plugins/simple-ldap-login/. For the best part, not using the admin username, making the first account a non super admin, not using wp_ database prefix, putting salt values in wp-config.php and setting up your folder permissions/htaccess correctly would do you far more good.
If a hacker has access to your encrypted password hashes, you’ve already lost the battle.
Related Posts:
- How can I password protect a WordPress site without requiring users to log in?
- How to invalidate `password reset key` after being used
- Is there any way to rename or hide wp-login.php?
- Increase of failed login attempts, brute force attacks? [closed]
- Check for correct username on custom login form
- How to fake a WordPress login?
- Brute force attack?
- Add Confirm Password field in wp-login.php Password Reset page
- Receiving “This content cannot be displayed in a frame” error on login page
- How to customise wp-login.php only for users who are setting a password for the first time?
- Give visitor access to password protected page/post via external script
- Send reset password link to user from custom lost password form
- Websites defaced by uploading script using theme editor
- Make wordpress admin failed login attempt return 401
- How can I retrieve the username and password from my WordPress installation?
- password protect individual pages
- Problem with logging in WP users automatically
- WordPress login urls
- How to determine if a user has not changed default generated password
- Store brute-force IP addresses
- Right practice to edit WP reset password email
- How to create a private login page for admin.?
- WordPress Security – How to block alternative WordPress access
- Protecting WordPress login page
- wp-admin folder, brute force, and password protection
- Sniffing wordpress user’s credentials
- Private page protected with username and password
- reset password link redirect to login page
- Password protect media attachment – share across guests
- Password reset – Disabled for LDAP accounts
- Why wp_update_user doesn’t update user_activation_key on users with apostrophes in their email?
- Forgot Password/ Password Reset Page does not exist
- Correct passwords keep appearing as incorrect
- disable site_url redirect in wp-login.php
- Forgot password needs to redirect from wp-login to a custom page
- Reset Password policy
- How can I change the email sender name from wordpress to (myblogname) on the “lost password” email?
- Does WordPress (or a plugin) reveal login credentials to admin?
- Is wp_login_form secure on a non secure page?
- How to password-protect everything except the logo
- WordPress login security
- Why isn’t the login page rate limited by default?
- Is there anyway to get the inputted password string from the login form?
- Input sanitation
- How to Prevent Brute Force Attack on WordPress
- Password not resetting on wordpress?
- Advice on redirect to lock site from unauthorized users
- autocomplete=”off” WordPress Login
- WordPress not logged in locally with correct username and password
- wordpress login without password just email address (NO 2 factor authentication with email)
- Where is the php file, that does the checks for login information?
- Error on WordPress Login
- Access log “POST /wp-login.php HTTP/1.0” 400
- Can I protect a type of content site-wide with a single password?
- Password recovery URL has error – but not found in code or db
- force login loophole
- Temporally disable password to login with empty password?
- How to create separate login for authors/moderators/subscribers?
- Login form does not store/remember/suggest users password
- WordPress password reset not working
- New user password confirmation sending wrong URL
- Locked out of WordPress admin area [closed]
- Global login to password protected pages
- Disable / Remove Password for Login WordPress
- How to password protect pages in WordPress
- Site is not loading after relogin attempts on SSL
- Chosen user password in registration is not being accepted on Login
- Some crawlers/bots attempting to login with very good guesses. How?
- User login without username, only password
- wp_lostpassword_url not escaped
- Hide wp-login.php but not the widget
- Trouble logging in and/or changing password
- Cannot login with correct username and password anymore
- How login is possible, if I deny login page via nginx?
- Cant login, Password MUST be reset error, after reset
- Log in a user upon password reset?
- Customize From and email address on password reset
- Custom Log In Screen – Disable password recovery [duplicate]
- Show reCaptcha on Custom Frontend Login & Register Form [closed]
- Problems with is_user_logged_in() | Function in WP
- Is the login encrypted before it is sent? If so how to do I encrypt it the same way?
- What speaks against using a custom login.php / register.php to wordpress?
- Login fail with no error
- wordpress/woocommerce login url not redirecting correctly
- Log in with email but no password
- Get WordPress login functions without printing anything
- Allow login only for one account from one device
- Create a login page which redirects to a specific page?
- how to add social login option in wordpress
- Avoiding accidentally creating a second account at “Or log in with your existing social profile”
- How user should automatically activated and go for login?
- How to lock WordPress front-end with login and password?
- Disabling the login form and redirect users on logout without headers sent php warning
- Webpage not found upon entering wrong username and password on custom login form?
- User not logged first time I open the homepage
- WordPress Login Box horizontal at the top.
- How to limit user to login only once per session
- How to resolve these findings from security audit
- Warning-session start errors and cannot login to administer
- make a login system for site visitors