Blog PostHacked using WP Lost Password?

A Saudi guy was trying to hack my website... Of-course, due to my knowledge of security, his attempts were not successful. But he reminded me of the method, thus I am posting it to help other Wordpress users to secure their blogs.

Simply he tries to reset the password using wordpress lostpassword function.. I will not post the details of the method, so people don't try it on other blogs..

However, if you maintain a wordpress blog, you can disable the function using a simple plugin:

<?php /\* Plugin Name: Disable Lost Password Feature Plugin URI: Description: This is a plugin to disable Lost password feature in wordpress. I have found this plugin online and I can't recall the source or the author. Author: Unknown, Posted by Ali Almahdi Version: 0.1 Author URI: \*/ function disable\_password\_reset() { return false; } add\_filter ( 'allow\_password\_reset', 'disable\_password\_reset' ); function remove\_password\_reset\_text ( $text ) { if ( $text == 'Lost your password?' ) { $text = ''; } return $text;  } function remove\_password\_reset() { add\_filter( 'gettext', 'remove\_password\_reset\_text' ); } add\_action ( 'login\_head', 'remove\_password\_reset' ); function remove\_password\_reset\_text\_in ( $text ) { return str\_replace( 'Lost your password</a>?', '</a>', $text ); } add\_filter ( 'login\_errors', 'remove\_password\_reset\_text\_in'); ?>

Upload to plugins directory and enable in the plugins... This will protect you from lost-password attacks.


Discuss with me and others You need to sign in to post comments