From 2cb923346b29123d62ea746da4c14d90657b55b4 Mon Sep 17 00:00:00 2001 From: Dan Knauss Date: Fri, 3 Jul 2026 00:31:31 -0600 Subject: [PATCH] fix: reword mixed-audience login failure notice to be informational MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous notice used "WARNING:" and "If this wasn't you, you should reset your password." The reader has already entered the correct password, so the "if this wasn't you" framing is disorienting for the legitimate user (who likely mistyped a code) and the "reset your password" advice is wrong — the threat is to the second factor, not the password. New text is factual and defers action to after a successful login. Fixes #919 --- class-two-factor-core.php | 6 +++--- tests/class-two-factor-core.php | 26 +++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/class-two-factor-core.php b/class-two-factor-core.php index 7c0ad9a0..df6e566c 100644 --- a/class-two-factor-core.php +++ b/class-two-factor-core.php @@ -1022,10 +1022,10 @@ public static function maybe_show_last_login_failure_notice( $user ) { echo '
'; printf( esc_html( - /* translators: 1: number of failed login attempts, 2: time since last failed attempt */ + /* translators: 1: number of failed verification code attempts, 2: human-readable time since the last attempt, e.g. "5 minutes" */ _n( - 'WARNING: Your account has attempted to login %1$s time without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn\'t you, you should reset your password.', - 'WARNING: Your account has attempted to login %1$s times without providing a valid two factor token. The last failed login occurred %2$s ago. If this wasn\'t you, you should reset your password.', + '%1$s failed verification code attempt on this account. The last attempt was %2$s ago. If you did not make this attempt, review your account security after logging in.', + '%1$s failed verification code attempts on this account. The last attempt was %2$s ago. If you did not make these attempts, review your account security after logging in.', $failed_login_count, 'two-factor' ) diff --git a/tests/class-two-factor-core.php b/tests/class-two-factor-core.php index 38052106..e1a44f98 100644 --- a/tests/class-two-factor-core.php +++ b/tests/class-two-factor-core.php @@ -797,8 +797,7 @@ public function test_maybe_show_last_login_failure_notice() { $this->assertNotEmpty( $contents ); $this->assertStringNotContainsString( '1 times', $contents ); - $this->assertStringContainsString( 'attempted to login', $contents ); - $this->assertStringContainsString( 'without providing a valid two factor token', $contents ); + $this->assertStringContainsString( 'failed verification code attempt', $contents ); // 5 failed login attempts 5 hours ago - User should be informed. $five_hours_ago = time() - 5 * HOUR_IN_SECONDS; @@ -809,10 +808,31 @@ public function test_maybe_show_last_login_failure_notice() { $contents = ob_get_clean(); $this->assertNotEmpty( $contents ); - $this->assertStringContainsString( '5 times', $contents ); + $this->assertStringContainsString( 'failed verification code attempts', $contents ); $this->assertStringContainsString( human_time_diff( $five_hours_ago ), $contents ); } + /** + * Test that the login failure notice uses calm, informational language. + * + * @covers Two_Factor_Core::maybe_show_last_login_failure_notice() + */ + public function test_login_failure_notice_language_is_calm_and_informational() { + $user = $this->get_dummy_user(); + update_user_meta( $user->ID, Two_Factor_Core::USER_FAILED_LOGIN_ATTEMPTS_KEY, 3 ); + update_user_meta( $user->ID, Two_Factor_Core::USER_RATE_LIMIT_KEY, time() - 60 ); + + ob_start(); + Two_Factor_Core::maybe_show_last_login_failure_notice( $user ); + $contents = ob_get_clean(); + + $this->assertStringNotContainsString( 'WARNING', $contents ); + $this->assertStringNotContainsString( "wasn't you", $contents ); + $this->assertStringNotContainsString( 'reset your password', $contents ); + $this->assertStringContainsString( 'failed verification code', $contents ); + $this->assertStringContainsString( 'review your account security', $contents ); + } + /** * Test no reset notice when no errors. *