Technology for Mortals

There is a serious exploit against WordPress out in the wild that allows an attacker to reset your password.  It works on every version of WordPress and there is no official patch yet which is pretty scary.  There is a temporary workaround and it appears that WordPress.com has already applied this workaround.  This workaround can be found here and I have already applied it to my site and you should too if you are running WordPress.

Basically, all you need to do is replace some text in your wp-login.php file.  Just go in there and change:

if ( empty( $key ) )

to

if ( empty( $key ) || is_array( $key ) )

Now if someone tries to reset your password using this exploit, they will get slapped down with the message “Sorry, that key does not appear to be valid.”  Now that’s music to my ears.

I have verified that this solution works by testing the exploit on my own site.  Without this modification, I can nuke my admin password.  My mail function was broken and the system wouldn’t even send me a new password via email, and I had to reset the password from my backup.  With this modification, the exploit doesn’t work.

Update 8/12/2009 – WordPress.org has released WordPress 2.8.4.  I think that patch only adds the modification above, but it might include other patches too.  I hate these full upgrades, because you gotta backup first and hope nothing breaks or resets.  I hate these full upgrades, because you have to backup first and hope nothing breaks or resets.  I may skip this upgrade since I did the manual fix which is easier.