There is a serious exploit against WordPress out in the wild that allows an attacker to reset your password. It works on every version of WordPress and there is no official patch yet which is pretty scary. There is a temporary workaround and it appears that WordPress.com has already applied this workaround. This workaround can be found here and I have already applied it to my site and you should too if you are running WordPress.
Basically, all you need to do is replace some text in your wp-login.php file. Just go in there and change:
if ( empty( $key ) )
if ( empty( $key ) || is_array( $key ) )
Now if someone tries to reset your password using this exploit, they will get slapped down with the message “Sorry, that key does not appear to be valid.” Now that’s music to my ears.
I have verified that this solution works by testing the exploit on my own site. Without this modification, I can nuke my admin password. My mail function was broken and the system wouldn’t even send me a new password via email, and I had to reset the password from my backup. With this modification, the exploit doesn’t work.
Update 8/12/2009 – WordPress.org has released WordPress 2.8.4. I think that patch only adds the modification above, but it might include other patches too. I hate these full upgrades, because you gotta backup first and hope nothing breaks or resets. I hate these full upgrades, because you have to backup first and hope nothing breaks or resets. I may skip this upgrade since I did the manual fix which is easier.
I just moved www.ForMortals.com to WordPress, and it was a monumental effort in moving a DotNetNuke Blog site to WordPress. DotNetNuke was never stable as a blogging platform and it was a mistake to start off with it. Even though I quickly realized this mistake, I knew it would be painful migrating my existing blogs and users.
The SQL database structure in the two platforms were nothing alike and even the field types were unique in WordPress. I’ve finished moving all the old blog postings and all the subscribers. I still have to finish moving all of the comments. The final look and feel hasn’t been completed yet, but I already feel a lot better about the site. Please add any feedback in the comment section below.
I will be sending out email notifications to everyone about this migration. If you hadn’t already done so, please reset your password here using your email address and update your profile information. Please accept my apology for the inconvenience and thank you for subscribing to this site.
Update 9:00 AM – Just dumped in over 1500 comments from old site into this new platform. I’ve tried to maintain the formatting and post dates as well as the blog entries they are attached to. Now this is feeling much more like a nice new home.
Update 10:00 AM – If you want a photo associated with your account, you’ll need to set up a gravatar account.
Update 7/20/2009 – Added OpenID support (though it doesn’t seem to be working). I also need to figure out how to dynamically change the top-right photo to the author of the blog entry that you are reading.