How to prevent user enumeration using WordPress forgot password form?

Question

It's possible to enumerate a list of WordPress users by using the "forgot password" form. If you enter a username/email that DOESN'T exist, you receive an error telling you as much. And if you enter a username/email that DOES exist, it will confirm that fact with a success message:

I'd like to have this form return the same message either way, but I can't seem to find the right WordPress hooks to do this. Has anyone tackled this before or have any suggestions on how to obfuscate the response?

Answer 1

You can try this:

// Lost password: same behaviour if account found or not
add_filter( 'lostpassword_errors', 'lostpassword_errors_custom', 20, 3 );
function lostpassword_errors_custom ($errors, $user_data) {
    // User not found in general = $user_data is empty (= false)
    // User not found from email = error is "invalid_email"
    // User not found from login = no error (+  $user_data is empty)
    // Let other errors occur
    // Otherwise use the following commented IF instead = always redirect, for example even if form submitted with empty data
    //if (!$user_data)) {
    if ($errors->get_error_code() === 'invalid_email' || (!$errors->has_errors() && !$user_data)) {
        wp_safe_redirect( 'wp-login.php?checkemail=confirm' );
        exit;
    }
    return $errors;
}