Prevent password reset hacking on your WordPress blog

August 12, 2009 at 9:17 am

Since a few hours, a new security loophole has been discovered in WordPress 2.8.X. This problem allow anyone to reset your admin password. Creepy, isn’t it? Don’t panic, just read on to solve the problem.

As I just said, a new security loophole has just been discovered and it allow anyone to be able to reset your blog admin password. The “hacker” will not get your password (it will be emailed to you) but this can be pretty annoying.

Open the wp-login.php file (It is located in WordPress root directory) and go to line 190. You’ll find this line:

if (empty($key))

Simply replace it by the following and save the file:

if(empty($key) || is_array($key))

For more info about the security loophole, you should read this post.