No idea why anyone would be even remotely interested in hacking this blog but it happened. Quite a lot too. Every time I see a “password reset” mail I knew it happened again. Quite annoying, considering I like to present myself as a dev ninja. Kinda embarrassing.
I thought I solved it but after working till 5 AM last night I woke up this morning and witnessed another hack as it happened.
The cause was pretty much known. One of the 24(!) active plugins on this site has an SQL injection vulnerability. Ah what? Well, basically the writer of the plugin is a moron or deliberately making his plugin vulnerable to attacks. With this vulnerability it’s quite easy to change the password of the admin user and take over full control of the WordPress blog. If you want to know the details check out the super clear tutorial explanation on Flippercode.
Nice, so now I should actually check all the files of code of 24 plugins to find the vulnerability? That would probably take days and quite frankly this blog is not worth that. So I looked for a more simple solution and quickly found it. Just leave the SQL vulnerability for what it is, that is, unless you store credit card info in your WP database.
The simple and hopefully effective solution is disabling the whole password reset function. This requires just 3 lines of code to be placed in the functions.php of the active theme(s):
|
1 2 3 |
function disable_reset_lost_password() { return false; } add_filter( 'allow_password_reset', 'disable_reset_lost_password'); |
And this is the result the next time a hacker requests a password reset:
Is it an elegant solution? Hell no! Effective? Quick? Yep.