Default password = "hello". Can hackers find a way?

  • Resolved niam68

    (@niam68)


    8 years, 8 months ago

    Hello everybody,

    I already know that many of you will beat me hard for this, BUT please after beating me try to help.

    I hacked the wordpress password generator to automatically generate ALWAYS THE SAME DEFAULT password. That is, let’s say, “hello” (no quotes).

    I need to keep it like that, and I won’t consider ANY solution that advise me to alter this condition.

    Having done that, I need to close all the backdoors that hackers may use.

    To protect subscribers, I disabled the profile page, and they have to contact me to access their data.

    But most important, I needed to disable the “Lost your password” function from wp-login.php.

    WHAT A PAIN! All the plugins and hacks that I tried were just removing the link to the password reset form, (i.e. the link to /wp-login.php?action=lostpassword) but I was still able to reach it by manually typing:

    mysite.com/wp-login.php?action=lostpassword

    The big problem here is, the same function used to generate a random password, that I altered to always output “hello”, is used ALSO to generate the random password reset key. So the random password reset key is ALWAYS hello.

    Now, let’s assume that the administrator, nickname John, has a super complicated password.

    If somebody gets the admin username or email (easy), they just type:

    mysite.com/wp-login.php?action=lostpassword

    Enter the admin username or email and send the form. Now the password reset key “hello” is active.

    Then they type:

    mysite.com/wp-login.php?action=rp&key=hello&login=John

    Here they set their own password: they are in and John’s OUT!

    I found several methods to prevent the password reset for specific users, using the hook allow_password_reset from user.php but, probably due to my limited php competences, none of them was working.

    All I could get was hiding the link from wp-login.php to wp-login.php?action=lostpassword .

    To quickly patch this big hole I just prevented user.php from generating ANY password reset key.

    line 1947
    // $key = wp_generate_password( 20, true );

    (please note the EXTREMELY elegant // solution)

    Thanks to this, there is no password reset key and none of the following link appears to be valid

    mysite.com/wp-login.php?action=rp&key=&login=John

    mysite.com/wp-login.php?action=rp&key=hello&login=John

    So two questions:

    1- Can I do it in a different way??

    2- Is there any other backdoor that I’m leaving open for hackers?

    Thanks a lot for your help

    Nick

    PS: If you are going to answer that having such a password generator is dangerous for me, for the users and for the world, without providing me with a solution to my questions, or that “YES, the holes are huge and cannot be enumerated”, please refrain from asnwering. I’ll appreciate your silence

Viewing 5 replies - 1 through 5 (of 5 total)

  • While I have no advice you will want to hear regarding your questions, I do have a suggestion for something you may not have added to your current To-Do list yet.

    “(please note the EXTREMELY elegant // solution)”

    How will you be mitigating the loss of WordPress core file modifications when WordPress issues updates/upgrades?

    Thread Starter niam68

    (@niam68)

    @clayton, naturally by transforming my temporary patch into a proper solution, hopefully with some help from this forum ??

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    There is just so much wrongness here. As ClaytonJames said, you already indicated that you won’t be receptive to anything so I’ll make my reply on point.

    Default password = “hello”. Can hackers find a way?

    Yes.

    Thread Starter niam68

    (@niam68)

    more specifically: can they find a way to an Administrator account ?

    The other ones are not an issue.

    Can I setup two different people generators, one for subscribers and one for everybody else?

    The key is not modifying the default password generator for subscribers only, everything else is welcome.

    Thread Starter niam68

    (@niam68)

    The plugin:

    Restrict Passwords by Role

    Saved me. Nobody can ever reset the password for the roles I choose. Cool! Justo solves my problem without me dealing with the core code.

    And, by the way, to generate the default ‘hello’ password I used a filter in my function.php child theme, thus not dealing with the code either.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Default password = "hello". Can hackers find a way?’ is closed to new replies.