This morning, someone tried logging into Blondish.net 4 times. Or well, they reset my password 4 times! This was not big issue as my email account was not compromised. However I found that this was not a singular issue as it was widespread. Also, when I checked my recent visitor stats, they all were directly to my WordPress login page. ProgrammerFish blogged about it in their article WordPress Security Flaw: Reset Admin Password of Any Blog Without Confirmation!
The incident occured at 3AM CST USA. My fix was the same as ProgrammerFish. The issue was that people can just leave the field to retrieve the password and leave the field that asks for username or password blank in their WordPress login page. This fix would require something in the field.
However, here is the fix that you can copy and paste.
To fix:
Go to wp-login.php and scroll to line 190 in WordPress version 2.8.3. I am not going to bother with earlier versions as you SHOULD be using the most current version of WordPress…period! For those not much into counting, and are comfortable with WordPress enough to scan it, it is the part after mentioning $key. In fact, there is a notation the file that says “Handles resetting the user’s password”. WordPress is cool like that making it easy to find each section. 😉
if ( empty($key) )
Replace above code with
if ( empty($key)|| is_array($key) )
Now, your WordPress login should not be accessed unless your admin email is put in. Also, as usual, make sure that your passwords are not easy to guess.
Did you have this problem recently? Have you fixed it?
[…] WordPress Login Flawed: Here is Fix http://blondish.net/wordpress-login-flawed-here-is-fix/ […]