Support » Requests and Feedback » How to make WP a little bit more secure

How to make WP a little bit more secure

  • Some plugins allowe(d) SQL-Injections. In such cases it is/was possible to see the user-activation-key without getting the corresponding email with the password-recovery-link containing this key. (See an example on youtube)

    I think it would be a good idea to help against such vectors by the following two additions:

    As of WP 3.5.2 make changes in the file wp-login.php:

    Line 229, from:
    $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
    Line 229, to:
    $wpdb->update($wpdb->users, array('user_activation_key' => md5($key)), array('user_login' => $user_login));

    Line 458, from:
    $user = check_password_reset_key($_GET['key'], $_GET['login']);
    Line 458, to:
    $user = check_password_reset_key(md5($_GET['key']), $_GET['login']);

    Now any attacker can see the md5-code of the user-activation-key but doesn’t know the corresponding key.

    Any suggestions?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Siobhan Bamber (siobhyb)


    Automattic Happiness Engineer

    Hi Matt. Thanks for taking the time to post this.

    I’ve moved this post from “How-To and Troubleshooting” to “Requests and Feedback” for you.

    It may be a good idea for you to also post your idea at: http://wordpress.org/ideas/, this where ideas on improving WordPress are reviewed and voted upon, with the highest rated ideas being implemented.



    Forum Moderator

    Some plugins allowe(d) SQL-Injections.

    Have you notified the authors of these plugins?

    I have found the injections using a search engine. They are documented, descriped or demonstrated in the internet. So I hope that newer versions of this plugins are secured.

    But never the less in the future it could be possible to find another plugin that may be injected the known way (as demonstrated in the internet).

    My proposel is to stealthen WP against such attacks, where an attacker hopes to read the user-activation-key without knowing the email address.

    I am shocked at how poorly everything on WP.org is compared to WP.com! The headache I’m experiencing in migrating my site and getting something that actually WORKS is impossible to describe.



    Forum Moderator

    @wodara – I’m sorry you’re having a difficult time, but one thing you should be aware of is that everyone here is a volunteer – and there are MANY more variables and potential problems when self-hosting a site. WordPress.COM has paid staff, WordPress.ORG does not.

    So to begin with, please read over the forum guidelines which should be helpful in finding a better place to post if you need help:


    Someone would be happy to help you, but posting other people’s unrelated threads really doesn’t work well here.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘How to make WP a little bit more secure’ is closed to new replies.