WordPress password recovery protection


I wrote this topic because I am tired of the messages that I receive regarding recovering the password for my site, which seems to some of you to be an insignificant matter and is led by the famous sentence that comes with the message “If this request was in error, just ignore this message and nothing will happen.” How can nothing happen, suppose that one of the plugins that I use is infected with a sql injection, even though we rarely hear of such vulnerabilities in WordPress, but no one knows what is coming, so precaution is required. The important thing is to get to the point

The reason for canceling the password recovery

As I mentioned earlier, boring password reset messages are frequent, and also the danger of the matter is in the event that there is an addon infected with a sql injection or a bug in WordPress itself, as it is known when you receive a message that has a link in this way:

https://www.mwordpress.net/wp-login.php?action=rp&key=3egPdfrxRBgLdwp&login=user
  1. 3egPdfrxRBgLdwp: This is the activation key to reset the password for the user
  2. user: usually admin, which is the username for which the password will be changed

Here we will discuss how the hacker can get the activation key to reset the password by injecting the rule.

table_wp_user

In the case of a request to reset the password, it will be recorded in the user_activation_key field indicated by the red arrow. I have deleted the value in the image, the important thing is this value, which we represented previously with 3egPdfrxRBgLdwp, the hacker can only get it by injecting the rule through sql injection vulnerabilities

The important thing is that I explained to you the seriousness of the situation regarding your site. If you are interested, follow the steps that you must take to avoid this problem.

Prevent password retrieval

Here we will take only two steps, which is to hide the password recovery link and redirect those who request the password recovery page to the main page

Hide password recovery link

To hide the password recovery link, we will use a function to remove the password reset link. The function I found in WordPress technical support. I only modified a sentence and it worked, even though I tried one of the plugins but it did not work. Open the functions.php file and add the following function in the last file:

function remove_password_reset_text ( $text ) {
	if ( $text == "Forgot your password?" ) {
		$text = "";
	}
return $text;
}
function remove_password_reset() {
	add_filter( "gettext", "remove_password_reset_text" );
}
add_action ( "login_head", "remove_password_reset" );

Thus, the link will disappearNote: This method alone will not work to prevent the password request, because you can just write ?action=lostpassword in front of wp-login.php and the password reset page will be displayed for this, please use both methods together

Prohibit password reset for admins only

For this method, we will need an add-on that does the job, and I found the “Prevent Password Reset” add-on that you can download and install on your blog.

Prevent password recovery

When using this add-on, no one will be able to retrieve the password for the administrators, and a message will appear as follows:

Password recovery message

you have to do is change it through phpmyadmin. There is an explanation in this post I wrote previously, ways to retrieve the admin password for a WordPress blog

Here, may God help you, and see you in another post, God willing

Leave a Comment