Using a nonce in a Custom Login Form in WordPress

I am trying to create my own login form for WordPress using wp-login.php as a template.

In the form that is used to collect login information from the user (lines 680 through 703 of wp-login.php), there doesn’t seem to be any implementation of a nonce.

I have been told by quite a few people that I should always be using a nonce when collecting information from forms – but there is not a single reference to a nonce in this entire file – despite their being four fairly critical forms.

So – what am I missing?

I know that the login form uses a testcookie and that you create a securecookie when reading through the POST information – but does that somehow solve the security issue? Are there any good resources out there for understanding how secure cookies work in this instance?

Post Views: 2

1 comment

using wp-login.php as a template.

is not a correct way to do that.

Source

You’d better use the wp_login_form() function in a custom template.

EDIT:

And if you want to add an option to reset password you could do this :

add_action( 'login_form_middle', 'add_lost_password_link' );
function add_lost_password_link() {
return '<a href="/wp-login.php?action=lostpassword">Lost Password?</a>';
}

Source

Comments are closed.

Related posts

1 comment

Social Network