Plugin To Protect WordPress Against Password Reset Vulnerability

Since morning I have been reading about latest password reset vulnerability found in wordpress  version <= 2.8.3. (Details)

Those who can upgrade their wordpress installation, should upgrade to version 2.8.4 which fixes this vulnerability.

But there are people like us who are running highly customized wordpress setups which cannot be simply upgraded by single-click!

Although I personally do not find this recent vulnerability is anything serious, people who trying to hack into Devils Workshop flooded my inbox with Password Reset emails. So to save myself form annoyance, here is code I put into our WPMU’s mu-plugins directory.

<?php
/*
Plugin Name: Password Lock
Version: 0.1
Plugin URI: http://rtcamp.com
Description: Lock Password for specific users
Author: Rahul Bansal
Author URI: http://rtcamp.com
*/

add_action('password_reset', 'rt_pass_reset_disallow',1);

function rt_pass_reset_disallow($user){
if(in_array($user->user_login, array('admin'))){
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit;
}
}
?>

For Standard WordPress

  1. Copy-paste above code in a text file and name it “password-lock.php” (you can name it anything)
  2. Upload to “wp-content/plugins” folder.
  3. Log into WordPress Dashboard, Go to Plugins menu and activate plugin with name – “Password Lock”

For WordPress MU users

  1. Copy-paste above code in a text file and name it “password-lock.php” (you can name it anything)
  2. Upload to “wp-content/mu-plugins” folder.
  3. It will get activated automatically.

For more than one admin account…

In case you want to block password reset for more than one admin account, you can add all other admin-level usernames on line

if(in_array($user->user_login, array('admin'))){

next to ‘admin’, separated by comma.

Check example…  I added ‘rahul’ and ‘deepak’ below…

if(in_array($user->user_login, array('admin','rahul','deepak'))){

Nothing to worry…

Actually, this bug only affects first user in wordpress database i.e. default user with username  ‘admin’. Also wordpress reset password function generate strong password which are hard to guess.

3 Comments

Paritosh August 12, 2009

Thanks for the code !
Although i havent faced this particular problem however as you mentioned above in your post, it really is becoming difficult to keep with wordpress upgrades. The are releasing new updates after every fortnight.

Thesis customization August 18, 2009

If you access your blog from a statsic iP you can use also .htaccess method to block login. Though for security I will suggest upgrading your blog to the latest version..
useful share rahul.
meanwhile I just referred you to famous bLogger club 🙂
http://blog.newmediabloggers.com/interview-with-harsh-agrawal-founder-of-shoutmeloud-–-famous-bloggers-club/

Harsh

Rahul Bansal September 1, 2009

@Harsh
Thanks buddy.
But as you know DW is community blog, .htaccess method is not useful here.