Skip to content

Commit 617594d

Browse files
dknaussclaude
andcommitted
fix: reword mixed-audience login failure notice to be informational
The previous notice used "WARNING:" and "If this wasn't you, you should reset your password." The reader has already entered the correct password, so the "if this wasn't you" framing is disorienting for the legitimate user (who likely mistyped a code) and the "reset your password" advice is wrong — the threat is to the second factor, not the password. New text is factual and defers action to after a successful login. Fixes #919 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 3a97559 commit 617594d

2 files changed

Lines changed: 26 additions & 6 deletions

File tree

class-two-factor-core.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1022,10 +1022,10 @@ public static function maybe_show_last_login_failure_notice( $user ) {
10221022
echo '<div id="login_notice" class="message"><strong>';
10231023
printf(
10241024
esc_html(
1025-
/* translators: 1: number of failed login attempts, 2: time since last failed attempt */
1025+
/* translators: 1: number of failed verification code attempts, 2: human-readable time since the last attempt, e.g. "5 minutes" */
10261026
_n(
1027-
'WARNING: Your account has attempted to login %1$s time without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn\'t you, you should reset your password.',
1028-
'WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn\'t you, you should reset your password.',
1027+
'%1$s failed verification code attempt on this account. The last attempt was %2$s ago. If you did not make this attempt, review your account security after logging in.',
1028+
'%1$s failed verification code attempts on this account. The last attempt was %2$s ago. If you did not make these attempts, review your account security after logging in.',
10291029
$failed_login_count,
10301030
'two-factor'
10311031
)

tests/class-two-factor-core.php

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -797,8 +797,7 @@ public function test_maybe_show_last_login_failure_notice() {
797797

798798
$this->assertNotEmpty( $contents );
799799
$this->assertStringNotContainsString( '1 times', $contents );
800-
$this->assertStringContainsString( 'attempted to login', $contents );
801-
$this->assertStringContainsString( 'without providing a valid two factor token', $contents );
800+
$this->assertStringContainsString( 'failed verification code attempt', $contents );
802801

803802
// 5 failed login attempts 5 hours ago - User should be informed.
804803
$five_hours_ago = time() - 5 * HOUR_IN_SECONDS;
@@ -809,10 +808,31 @@ public function test_maybe_show_last_login_failure_notice() {
809808
$contents = ob_get_clean();
810809

811810
$this->assertNotEmpty( $contents );
812-
$this->assertStringContainsString( '5 times', $contents );
811+
$this->assertStringContainsString( 'failed verification code attempts', $contents );
813812
$this->assertStringContainsString( human_time_diff( $five_hours_ago ), $contents );
814813
}
815814

815+
/**
816+
* Test that the login failure notice uses calm, informational language.
817+
*
818+
* @covers Two_Factor_Core::maybe_show_last_login_failure_notice()
819+
*/
820+
public function test_login_failure_notice_language_is_calm_and_informational() {
821+
$user = $this->get_dummy_user();
822+
update_user_meta( $user->ID, Two_Factor_Core::USER_FAILED_LOGIN_ATTEMPTS_KEY, 3 );
823+
update_user_meta( $user->ID, Two_Factor_Core::USER_RATE_LIMIT_KEY, time() - 60 );
824+
825+
ob_start();
826+
Two_Factor_Core::maybe_show_last_login_failure_notice( $user );
827+
$contents = ob_get_clean();
828+
829+
$this->assertStringNotContainsString( 'WARNING', $contents );
830+
$this->assertStringNotContainsString( "wasn't you", $contents );
831+
$this->assertStringNotContainsString( 'reset your password', $contents );
832+
$this->assertStringContainsString( 'failed verification code', $contents );
833+
$this->assertStringContainsString( 'review your account security', $contents );
834+
}
835+
816836
/**
817837
* Test no reset notice when no errors.
818838
*

0 commit comments

Comments
 (0)