Log failed passwords to a file in Wordpress

One of my Wordpress sites was getting hacked and I was wondering what passwords the hackers were attempting to use so we could know how serious it was. I added this snippet of code to the end of my functions.php file in Wordpress. This code hooks into wp_login_failed, so it will only record failed passwords to the file. You have to modify one line to link to your website's root directory.

Yeah I know this code could be done in fewer lines and with better output logging. Oh well, it works.

Wordpress 4.9.2 -- Written 1/21/2018

Dangers

• If you mistype your password by 1 letter it will be logged!
• Writing to a hidden file like .htfailures will make it more secure, do not write to a CSV or something that ends up public!

//RECORD FAILED PASSWORDS TO A FILE goes in functions.php
add_action('wp_login_failed', 'login_failed_func');
function login_failed_func($args) {
        //Start output buffering to avoid echoing
        ob_start();
        $data = var_dump($args);
        $out = ob_get_clean();
        $failed = $_POST['pwd'];
        $date = date('m/d/Y h:i:s a');
        //REPLACE THIS FILE WITH YOUR FILE
        $my_file = '/var/www/mysite/public_html/.htfailures';
        $handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
        $newline = "\n";
        fwrite($handle, $date);
        fwrite($handle, $out);
        fwrite($handle, $failed);
        fwrite($handle, $newline);
        fwrite($handle, $newline);
        fclose($handle);
}

External Links

• StackOverflow - Is there a way to get the password on a failed wordpress login?
• Angel Watt - log login attempts - this is more thorough, with CSV output, but seemed like overkill to me, and was more than a few years old
• Stack Overflow - Just people searching for this same stuff, no solutions