Default password = "hello". Can hackers find a way?

Hello everybody,

I already know that many of you will beat me hard for this, BUT please after beating me try to help.

I hacked the wordpress password generator to automatically generate ALWAYS THE SAME DEFAULT password. That is, let’s say, “hello” (no quotes).

I need to keep it like that, and I won’t consider ANY solution that advise me to alter this condition.

Having done that, I need to close all the backdoors that hackers may use.

To protect subscribers, I disabled the profile page, and they have to contact me to access their data.

But most important, I needed to disable the “Lost your password” function from wp-login.php.

WHAT A PAIN! All the plugins and hacks that I tried were just removing the link to the password reset form, (i.e. the link to /wp-login.php?action=lostpassword) but I was still able to reach it by manually typing:

mysite.com/wp-login.php?action=lostpassword

The big problem here is, the same function used to generate a random password, that I altered to always output “hello”, is used ALSO to generate the random password reset key. So the random password reset key is ALWAYS hello.

Now, let’s assume that the administrator, nickname John, has a super complicated password.

If somebody gets the admin username or email (easy), they just type:

mysite.com/wp-login.php?action=lostpassword

Enter the admin username or email and send the form. Now the password reset key “hello” is active.

Then they type:

mysite.com/wp-login.php?action=rp&key=hello&login=John

Here they set their own password: they are in and John’s OUT!

I found several methods to prevent the password reset for specific users, using the hook allow_password_reset from user.php but, probably due to my limited php competences, none of them was working.

All I could get was hiding the link from wp-login.php to wp-login.php?action=lostpassword .

To quickly patch this big hole I just prevented user.php from generating ANY password reset key.

line 1947
// $key = wp_generate_password( 20, true );

(please note the EXTREMELY elegant // solution)

Thanks to this, there is no password reset key and none of the following link appears to be valid

mysite.com/wp-login.php?action=rp&key=&login=John

mysite.com/wp-login.php?action=rp&key=hello&login=John

So two questions:

1- Can I do it in a different way??

2- Is there any other backdoor that I’m leaving open for hackers?

Thanks a lot for your help

Nick

PS: If you are going to answer that having such a password generator is dangerous for me, for the users and for the world, without providing me with a solution to my questions, or that “YES, the holes are huge and cannot be enumerated”, please refrain from asnwering. I’ll appreciate your silence