WordPress Admin Password can be Reset by Anyone (Fix Provided)
[Update: WordPress 2.8.4, which fixes this, has been released.]
We have a problem, folks. It turns out there is a way for anyone to reset your admin password without your permission. This exploit will not give them the new admin password. Nor will it permanently lock you out, as the new password will be mailed to your email address. Even so, it is still annoying to find yourself locked out of your own blog.
How do you do it? No, I’m not going to tell you. If you really want to know, I’m sure you can find out. Unlike some fishy programmers (read: jerks), I don’t really feel the need to propagate instructions for causing problems for other webmasters.
That said, I will happily provide the solution. I might even hack it into quick plugin tonight if I get the time, for people who don’t feel like either modifying their source code or waiting for a 2.8.4 security release.
Here’s the fix:
- Open wp-login.php in your text editor of choice.
- Go to either line 190 (2.8.*) or line 169 (earlier versions). In either case, look for a little chunk of code that looks like this:
$key = preg_replace('/[^a-z0-9]/i', '', $key); if ( empty( $key )) return new WP_Error('invalid_key', __('Invalid key')); $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users ... - Change the if line to be this:
if ( empty( $key ) || is_array( $key ))
- Save the file and save yourself a headache.
For the curious, here is the official documentation for the fix at WordPress’s trac site.
Thanks for posting this, this really will save alot of annoyance. What exactly does this new line of code do ?
It stops the reset if the reset key (the long string of gibberish in your email if you ask for a reset) is an array. The old method just checked to make sure the value wasn’t empty. The exploit tricks the wp-login script by tweaking the arguments to wp-login.php (in the URL) to make the key into an array.
Does the exploit work if the admin user has been deleted and other users not named “admin” are Administrators? i.e. can they sniff that out? then the question is, would they bother?
The exploit should work with any user name that is allowed to reset their password. If reset requires admin approval, then nada will happen (although you won’t be able to tell the real resets from the fake in your admin email). If your administrator account (or accounts) have a different user name, it will require the bad guy to figure out those user names.
Yet another reason to use a user name other than “admin”, although I am all too guilty of sticking with “admin” on some of my sites (but I patched them all
).