Plugin To Protect WordPress Against Password Reset Vulnerability

Since morning I have been reading about latest password reset vulnerability found in wordpress  version <= 2.8.3. (Details)

Those who can upgrade their wordpress installation, should upgrade to version 2.8.4 which fixes this vulnerability.

But there are people like us who are running highly customized wordpress setups which cannot be simply upgraded by single-click!

Although I personally do not find this recent vulnerability is anything serious, people who trying to hack into Devils Workshop flooded my inbox with Password Reset emails. So to save myself form annoyance, here is code I put into our WPMU’s mu-plugins directory.

<?php
/*
Plugin Name: Password Lock
Version: 0.1
Plugin URI: http://rtcamp.com
Description: Lock Password for specific users
Author: Rahul Bansal
Author URI: http://rtcamp.com
*/

ADVERTISEMENT

add_action('password_reset', 'rt_pass_reset_disallow',1);

function rt_pass_reset_disallow($user){
if(in_array($user->user_login, array('admin'))){
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit;
}
}
?>

For Standard WordPress

  1. Copy-paste above code in a text file and name it “password-lock.php” (you can name it anything)
  2. Upload to “wp-content/plugins” folder.
  3. Log into WordPress Dashboard, Go to Plugins menu and activate plugin with name – “Password Lock”
ADVERTISEMENT

For WordPress MU users

  1. Copy-paste above code in a text file and name it “password-lock.php” (you can name it anything)
  2. Upload to “wp-content/mu-plugins” folder.
  3. It will get activated automatically.

For more than one admin account…

In case you want to block password reset for more than one admin account, you can add all other admin-level usernames on line

if(in_array($user->user_login, array('admin'))){

next to ‘admin’, separated by comma.

Check example…  I added ‘rahul’ and ‘deepak’ below…

if(in_array($user->user_login, array('admin','rahul','deepak'))){

Nothing to worry…

Actually, this bug only affects first user in wordpress database i.e. default user with username  ‘admin’. Also wordpress reset password function generate strong password which are hard to guess.

3 replies on “Plugin To Protect WordPress Against Password Reset Vulnerability”

  1. Thanks for the code !
    Although i havent faced this particular problem however as you mentioned above in your post, it really is becoming difficult to keep with wordpress upgrades. The are releasing new updates after every fortnight.

Comments are closed.