Input sanitation - Read For Learn

wp-login.php should not require additional effort from you to secure. However, I don’t think that’s what you client is asking for.

My question therefore is does WordPress require further development to
stop SQL injections etc on login forms? And do I need to apply input
sanitation to the login fields?

To wp-login.php, no, you don’t. Not for security reasons, anyway, but that’s not what your client asked for. They just asked to make “@,&,-,+,% are not allowed”, which sounds like a business logic decision, and not related to security.

It seems odd to not allow special characters when special characters
are better for passwords so should I do this? Bare in mind that the
site doesn’t have public registration. It has a login feature for
partners which the admin would create the login for.

From what you’ve said, your client didn’t mention the password field. They just mentioned the “login” field, which I would interpret as the username field.

Is there any way to rename or hide wp-login.php?
Increase of failed login attempts, brute force attacks? [closed]
How to fake a WordPress login?
Brute force attack?
Receiving “This content cannot be displayed in a frame” error on login page
Websites defaced by uploading script using theme editor
Make wordpress admin failed login attempt return 401
WordPress login urls
Store brute-force IP addresses
How to create a private login page for admin.?
WordPress Security – How to block alternative WordPress access
Protecting WordPress login page
wp-admin folder, brute force, and password protection
Sniffing wordpress user’s credentials
disable site_url redirect in wp-login.php
Does WordPress (or a plugin) reveal login credentials to admin?
Is wp_login_form secure on a non secure page?
WordPress login security
Why isn’t the login page rate limited by default?
Invalidate username if it contains @ symbol
How can I password protect a WordPress site without requiring users to log in?
How to Prevent Brute Force Attack on WordPress
Advice on redirect to lock site from unauthorized users
Where is the php file, that does the checks for login information?
Error on WordPress Login
Access log “POST /wp-login.php HTTP/1.0” 400
force login loophole
I need to find which is the file that checks the DB for correct login (username, password)
How to create separate login for authors/moderators/subscribers?
How to invalidate `password reset key` after being used
Site is not loading after relogin attempts on SSL
Some crawlers/bots attempting to login with very good guesses. How?
Hide wp-login.php but not the widget
How login is possible, if I deny login page via nginx?
Custom login form
Adding extra authentication field in login page
How to check in timber if user is loggedin?
Stop WordPress from logging me out (need to keep me logged in)
Customize wp_new_user_notification_email()
Need to execute a cron job
Masking logout URL
How can I retrieve the username and password from my WordPress installation?
User Directory without a Plugin
Pre checking condition before login
Custom Connect to Facebook, problem logging in/logging out
Redirect after empty login username and password
WordPress Login page trashed
Are there ways of logging in that bypass wp-login.php altogether?
Change Favicon on Login Screen?
Admin username and password
Customizing the WordPress login form
How to display username and password after registration
wp-login gives 404 error, but wp-admin is working fine
Login error redirecting to wp-login page
Private page protected with username and password
Password reset – Disabled for LDAP accounts
Replace dash with space in username on login
Autologin only working the second time
Completely replacing the login form
Why wp_update_user doesn’t update user_activation_key on users with apostrophes in their email?
Forgot Password/ Password Reset Page does not exist
WordPress on Apache behind nginx using letsencypt issue with loginizer/limit login attempts
Auto login between word press subdomain and a .net website
Custom Login form from WordPress site to non-WordPress site
WordPress error on log out ‘Not Permitted’ and can’t log out
How can I change the email sender name from wordpress to (myblogname) on the “lost password” email?
Changed primary domain and now wordpress login won’t work
Add logout link when logged in, make it disappear when logged out?
Keep user session with custom implementation of user login
Forcing frontend login with UI switch
Sidebar login widget with error print, returns an error
Prevent display password on wp-login.php
wp_get_current_user does not work properly on log in page
How do I limit access to wp-admin to an IP range?
WordPress Logout Problem [closed]
Timezone Change Locked Me Out? [closed]
One time login on 2 different WordPress sites
How are all users now set to inactive?
Unable to login into WordPress 401
Custom user roles are unable to login
Google reCaptcha on WP login page
Recovering log in information
Log in only by email and no username
Extend Cookie with auth_cookie_expiration not working
Modify wp-login.php Labels Conditionally Based On Referring URL
Stop customers and subscribers from login to dashboard
prevent login after incorrect password 5 times
Why does /wp-admin login send me to this landing page?
Locked out of WordPress admin area [closed]
WordPress login page blank after customizations – works on other sites
WordPress does not send email confirmation to newly registered users
How to dequeue the default CSS styles on the wp-login.php page?
confirmation email is send from my local host registration of a user but mail will not display in there email account?
Server error after log in
Changed from HTTP to HTTP, can login no longer login
Without user loging inner page is disable wordpress [duplicate]
WordPress and Magento: let WordPress manage user registration and logins?
How to change the login URL
Click on banner to register to the blog
Login and register by API

Related Posts: