WordPress.org

Ready to get started?Download WordPress

Forums

How to make WP a little bit more secure (6 posts)

  1. Matt123987
    Member
    Posted 1 year ago #

    Some plugins allowe(d) SQL-Injections. In such cases it is/was possible to see the user-activation-key without getting the corresponding email with the password-recovery-link containing this key. (See an example on youtube)

    I think it would be a good idea to help against such vectors by the following two additions:

    As of WP 3.5.2 make changes in the file wp-login.php:

    Line 229, from:
    $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
    Line 229, to:
    $wpdb->update($wpdb->users, array('user_activation_key' => md5($key)), array('user_login' => $user_login));

    Line 458, from:
    $user = check_password_reset_key($_GET['key'], $_GET['login']);
    Line 458, to:
    $user = check_password_reset_key(md5($_GET['key']), $_GET['login']);

    Now any attacker can see the md5-code of the user-activation-key but doesn't know the corresponding key.

    Any suggestions?

  2. Hi Matt. Thanks for taking the time to post this.

    I've moved this post from "How-To and Troubleshooting" to "Requests and Feedback" for you.

    It may be a good idea for you to also post your idea at: http://wordpress.org/ideas/, this where ideas on improving WordPress are reviewed and voted upon, with the highest rated ideas being implemented.

  3. esmi
    Forum Moderator
    Posted 1 year ago #

    Some plugins allowe(d) SQL-Injections.

    Have you notified the authors of these plugins?

  4. Matt123987
    Member
    Posted 1 year ago #

    @esmi:
    I have found the injections using a search engine. They are documented, descriped or demonstrated in the internet. So I hope that newer versions of this plugins are secured.

    But never the less in the future it could be possible to find another plugin that may be injected the known way (as demonstrated in the internet).

    My proposel is to stealthen WP against such attacks, where an attacker hopes to read the user-activation-key without knowing the email address.

  5. WODARA
    Member
    Posted 12 months ago #

    I am shocked at how poorly everything on WP.org is compared to WP.com! The headache I'm experiencing in migrating my site and getting something that actually WORKS is impossible to describe.

  6. WPyogi
    Volunteer Moderator
    Posted 12 months ago #

    @WODARA - I'm sorry you're having a difficult time, but one thing you should be aware of is that everyone here is a volunteer - and there are MANY more variables and potential problems when self-hosting a site. WordPress.COM has paid staff, WordPress.ORG does not.

    So to begin with, please read over the forum guidelines which should be helpful in finding a better place to post if you need help:

    http://codex.wordpress.org/Forum_Welcome

    Someone would be happy to help you, but posting other people's unrelated threads really doesn't work well here.

Topic Closed

This topic has been closed to new replies.

About this Topic