Security flaw in version 3

  • I just had a hacker successfully hack my wordpress. Luckily I was sitting at my desk when my phone alerted me to a new email that said someone changed my password.

    Title of the email was:

    “(your blog name) Password Lost/Changed”

    with body message:
    Password Lost and Changed for user: yourusername

    They’re using the wp-login script somehow judging by their path through my site. The IP (93.91.197.18) belongs to someone in the United Arab Emirates and they used an email that was [email protected].

    I suggest everyone password protect their wp-admin folder and rename the wp-login file to something else.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter byc

    (@byc)

    Actually don’t rename wp-login.php. Go in and edit it to disable the lost password functionality for the time being. Go to line 369 and add an extra line after it with “break;”

    So before is:
    case ‘lostpassword’ :
    case ‘retrievepassword’ :

    After is:

    case ‘lostpassword’ :
    break;
    case ‘retrievepassword’ :

    Thread Starter byc

    (@byc)

    And here’s the logs of the hacker’s path through my site during his session on it:

    [log content censored for your protection]

    Moderator James Huff

    (@macmanx)

    Please report your finding directly to [email protected]

    These things should not be discussed publicly. That’s how hacks and vulnerabilities are spread publicly, thus endangering everyone else on the platform.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security flaw in version 3’ is closed to new replies.