Monthly Archives: August 2009

Protecting yourself against the WordPress login page exploit

Anyone that runs a wordpress blog will hopefully be aware of the recent exploit against the login page:

“You can abuse the password reset function, and bypass the first step and
then reset the admin password…”

and

“An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3″

There’s no fix in any released version yet but you can protect yourself with a bit of Apache config until one is released. Just add this to your wordpress virtualhost replacing “you.re.ip.add” with the IP address you want to access the login page from:

<Location /wp-login.php>
Order deny,allow
Deny from all
Allow from you.re.ip.add
</Location>

This will present any user not accessing your login page form that IP with a 403 Forbidden error. If you want to block all IPs until a fix comes out just miss out the Allow line:

<Location /wp-login.php>
Order deny,allow
Deny from all
</Location>

Tagged , ,

Nothing left to take away

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
— Antoine de Saint-Exupéry

Coding often feels like this.

Follow

Get every new post delivered to your Inbox.