fix: reword mixed-audience login failure notice to be informational#922
Open
dknauss wants to merge 6 commits into
Open
fix: reword mixed-audience login failure notice to be informational#922dknauss wants to merge 6 commits into
dknauss wants to merge 6 commits into
Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [basic-ftp](https://github.com/patrickjuchli/basic-ftp). Updates `basic-ftp` from 5.2.2 to 5.3.0 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.2.2...v5.3.0) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.3.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [shell-quote](https://github.com/ljharb/shell-quote). Updates `shell-quote` from 1.8.3 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.8.3...v1.8.4) --- updated-dependencies: - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [launch-editor](https://github.com/vitejs/launch-editor). Updates `launch-editor` from 2.11.1 to 2.14.1 - [Commits](vitejs/launch-editor@v2.11.1...v2.14.1) --- updated-dependencies: - dependency-name: launch-editor dependency-version: 2.14.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The previous notice used "WARNING:" and "If this wasn't you, you should reset your password." The reader has already entered the correct password, so the "if this wasn't you" framing is disorienting for the legitimate user (who likely mistyped a code) and the "reset your password" advice is wrong — the threat is to the second factor, not the password. New text is factual and defers action to after a successful login. Fixes WordPress#919 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Seeded demo: 3 failed verification attempts 5 minutes ago, shows the updated failure notice in context (no rate-limit error). Landing page: /wp-login.php?action=two_factor_notice_demo Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Companion to PR #917 and PR #921. Fixes #919.
What changed
maybe_show_last_login_failure_notice()inclass-two-factor-core.php.Before:
After:
Why each change
Remove "WARNING:" — same rationale as PR #921: a severity prefix for a temporary informational notice is alarming and inappropriate.
Remove "If this wasn't you" — the notice is shown on the 2FA form, after the user has already entered the correct password. That reader is either the legitimate account owner (who mistyped a code) or someone who knows the password. Either way, "if this wasn't you" frames a known-password holder as a potential stranger to their own account, which is disorienting.
Remove "you should reset your password" — the failed attempts were 2FA failures, not password failures. Resetting the password doesn't protect an account whose password is already known. The appropriate action (review sessions, rotate 2FA credentials) belongs after login, so the new text says so.
"attempted to login … without providing a valid two factor token" → "failed verification code attempt on this account" — shorter, plain-language phrasing that doesn't require the user to parse "two factor token" to understand what happened.
Tests
Two tests updated/added (185 total, all passing):
test_maybe_show_last_login_failure_notice— updated string assertions to match new texttest_login_failure_notice_language_is_calm_and_informational— new test asserting absence ofWARNING,wasn't you, andreset your password; asserts presence offailed verification codeandreview your account securityNot addressed here
This notice is only shown when there is no rate-limit error already displayed (see the
elseifcondition inlogin_html()). The rate-limit error message itself was addressed in PR #921.🤖 Assisted by Claude Code
Try in Playground
What you'll see: The 2FA email code entry form with the updated failure notice above it. This notice is distinct from the rate-limit error in PR #921 — it appears after the rate-limit window has passed (or when there were prior failures but no current lockout). The code entry form and Resend Code button are present and functional.
What to test manually:
WARNING:, no "if this wasn't you", no "reset your password"login_html()takes theelseifbranch that shows this notice but not the rate-limit error from PR Improve rate-limit UX: calm error message and hide resend button during lockout #921Technical: Installs the plugin from this PR branch (
dknauss/two-factor@ux/notice-mixed-audience) via GitHub archive zip through the Playground CORS proxy — live patch code. A mu-plugin shim sets up a demo user with 3 failed verification attempts recorded 5 minutes ago, then callsTwo_Factor_Core::login_html()directly, landing at/wp-login.php?action=two_factor_notice_demo.