Skip to content

fix: reword mixed-audience login failure notice to be informational#922

Open
dknauss wants to merge 6 commits into
WordPress:masterfrom
dknauss:ux/notice-mixed-audience
Open

fix: reword mixed-audience login failure notice to be informational#922
dknauss wants to merge 6 commits into
WordPress:masterfrom
dknauss:ux/notice-mixed-audience

Conversation

@dknauss

@dknauss dknauss commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Companion to PR #917 and PR #921. Fixes #919.

What changed

maybe_show_last_login_failure_notice() in class-two-factor-core.php.

Before:

WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn't you, you should reset your password.

After:

%1$s failed verification code attempts on this account. The last attempt was %2$s ago. If you did not make these attempts, review your account security after logging in.

Why each change

Remove "WARNING:" — same rationale as PR #921: a severity prefix for a temporary informational notice is alarming and inappropriate.

Remove "If this wasn't you" — the notice is shown on the 2FA form, after the user has already entered the correct password. That reader is either the legitimate account owner (who mistyped a code) or someone who knows the password. Either way, "if this wasn't you" frames a known-password holder as a potential stranger to their own account, which is disorienting.

Remove "you should reset your password" — the failed attempts were 2FA failures, not password failures. Resetting the password doesn't protect an account whose password is already known. The appropriate action (review sessions, rotate 2FA credentials) belongs after login, so the new text says so.

"attempted to login … without providing a valid two factor token" → "failed verification code attempt on this account" — shorter, plain-language phrasing that doesn't require the user to parse "two factor token" to understand what happened.

Tests

Two tests updated/added (185 total, all passing):

  • test_maybe_show_last_login_failure_notice — updated string assertions to match new text
  • test_login_failure_notice_language_is_calm_and_informational — new test asserting absence of WARNING, wasn't you, and reset your password; asserts presence of failed verification code and review your account security

Not addressed here

This notice is only shown when there is no rate-limit error already displayed (see the elseif condition in login_html()). The rate-limit error message itself was addressed in PR #921.

🤖 Assisted by Claude Code

Try in Playground

Open WordPress Playground Preview

What you'll see: The 2FA email code entry form with the updated failure notice above it. This notice is distinct from the rate-limit error in PR #921 — it appears after the rate-limit window has passed (or when there were prior failures but no current lockout). The code entry form and Resend Code button are present and functional.

What to test manually:

  • Compare the notice text to the "Before" in this PR: no WARNING:, no "if this wasn't you", no "reset your password"
  • The notice is factual and deferred — it tells the account holder what happened and where to act (after login), rather than alarming them mid-login
  • To see the notice without a lockout error: the demo seeds 3 failed attempts 5 minutes ago, past the rate-limit window, so login_html() takes the elseif branch that shows this notice but not the rate-limit error from PR Improve rate-limit UX: calm error message and hide resend button during lockout #921

Technical: Installs the plugin from this PR branch (dknauss/two-factor@ux/notice-mixed-audience) via GitHub archive zip through the Playground CORS proxy — live patch code. A mu-plugin shim sets up a demo user with 3 failed verification attempts recorded 5 minutes ago, then calls Two_Factor_Core::login_html() directly, landing at /wp-login.php?action=two_factor_notice_demo.

dependabot Bot and others added 5 commits June 4, 2026 08:50
Bumps the npm_and_yarn group with 1 update in the / directory: [basic-ftp](https://github.com/patrickjuchli/basic-ftp).


Updates `basic-ftp` from 5.2.2 to 5.3.0
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.2...v5.3.0)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [shell-quote](https://github.com/ljharb/shell-quote).


Updates `shell-quote` from 1.8.3 to 1.8.4
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [launch-editor](https://github.com/vitejs/launch-editor).


Updates `launch-editor` from 2.11.1 to 2.14.1
- [Commits](vitejs/launch-editor@v2.11.1...v2.14.1)

---
updated-dependencies:
- dependency-name: launch-editor
  dependency-version: 2.14.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The previous notice used "WARNING:" and "If this wasn't you, you should
reset your password." The reader has already entered the correct password,
so the "if this wasn't you" framing is disorienting for the legitimate
user (who likely mistyped a code) and the "reset your password" advice
is wrong — the threat is to the second factor, not the password.

New text is factual and defers action to after a successful login.

Fixes WordPress#919

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: dknauss <dpknauss@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

Seeded demo: 3 failed verification attempts 5 minutes ago,
shows the updated failure notice in context (no rate-limit error).

Landing page: /wp-login.php?action=two_factor_notice_demo

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Failed-attempt warning addresses two mutually exclusive audiences simultaneously

1 participant