DISCLAIMER: this post is older than one year and may not be up to date with latest WordPress version.

Since a few hours, a new security loophole has been discovered in WordPress 2.8.X. This problem allow anyone to reset your admin password. Creepy, isn’t it? Don’t panic, just read on to solve the problem.

As I just said, a new security loophole has just been discovered and it allow anyone to be able to reset your blog admin password. The “hacker” will not get your password (it will be emailed to you) but this can be pretty annoying.

Open the wp-login.php file (It is located in WordPress root directory) and go to line 190. You’ll find this line:

if (empty($key))

Simply replace it by the following and save the file:

if(empty($key) || is_array($key))

For more info about the security loophole, you should read this post.


  1. I was searching for this code all over the net and got it here!

  2. Thank you very much for this tip. I encountered this bizarre problem/hack two days ago, when i got my pass reset 5 times. I’m hoping this will solve the problem…

Leave a Comment

Your email address will not be published. Required fields are marked *