I have a question regarding a wordpress site I have recently developed for a client. I have only until now developed a site for small clients that just require personal websites, however this client has asked me to redeveloped his site as the current one has alot of security issues. Anyway I have created the site and shown it to him and he has asked if I can ‘apply input sanitation so special characters like @,&,-,+,% are not allowed’ to the login field.
- My question therefore is does WordPress require further development
to stop SQL injections etc on login forms? And do I need to apply input sanitation to the login fields? - It seems odd to not allow special characters when special characters are better for passwords so should I do this? Bare in mind that the site doesn’t have public registration. It has a login feature for partners which the admin would create the login for.
Thanks
Ian
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
wp-login.php should not require additional effort from you to secure. However, I don’t think that’s what you client is asking for.
My question therefore is does WordPress require further development to
stop SQL injections etc on login forms? And do I need to apply input
sanitation to the login fields?
To wp-login.php, no, you don’t. Not for security reasons, anyway, but that’s not what your client asked for. They just asked to make “@,&,-,+,% are not allowed”, which sounds like a business logic decision, and not related to security.
It seems odd to not allow special characters when special characters
are better for passwords so should I do this? Bare in mind that the
site doesn’t have public registration. It has a login feature for
partners which the admin would create the login for.
From what you’ve said, your client didn’t mention the password field. They just mentioned the “login” field, which I would interpret as the username field.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0