Title: Security flaw in version 3
Last modified: August 19, 2016

---

# Security flaw in version 3

 *  [byc](https://wordpress.org/support/users/byc/)
 * (@byc)
 * [15 years, 10 months ago](https://wordpress.org/support/topic/security-flaw-in-version-3/)
 * I just had a hacker successfully hack my wordpress. Luckily I was sitting at 
   my desk when my phone alerted me to a new email that said someone changed my 
   password.
 * Title of the email was:
 * “(your blog name) Password Lost/Changed”
 * with body message:
    Password Lost and Changed for user: yourusername
 * They’re using the wp-login script somehow judging by their path through my site.
   The IP (93.91.197.18) belongs to someone in the United Arab Emirates and they
   used an email that was [amir-something@hotmail.com](https://wordpress.org/support/topic/security-flaw-in-version-3/amir-something@hotmail.com?output_format=md).
 * I suggest everyone password protect their wp-admin folder and rename the wp-login
   file to something else.

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [byc](https://wordpress.org/support/users/byc/)
 * (@byc)
 * [15 years, 10 months ago](https://wordpress.org/support/topic/security-flaw-in-version-3/#post-1598437)
 * Actually don’t rename wp-login.php. Go in and edit it to disable the lost password
   functionality for the time being. Go to line 369 and add an extra line after 
   it with “break;”
 * **So before is:**
    case ‘lostpassword’ : case ‘retrievepassword’ :
 * **After is:**
 * case ‘lostpassword’ :
    break; case ‘retrievepassword’ :
 *  Thread Starter [byc](https://wordpress.org/support/users/byc/)
 * (@byc)
 * [15 years, 10 months ago](https://wordpress.org/support/topic/security-flaw-in-version-3/#post-1598440)
 * And here’s the logs of the hacker’s path through my site during his session on
   it:
 * [log content censored for your protection]
 *  Moderator [James Huff](https://wordpress.org/support/users/macmanx/)
 * (@macmanx)
 * [15 years, 9 months ago](https://wordpress.org/support/topic/security-flaw-in-version-3/#post-1598509)
 * Please report your finding directly to [security@wordpress.org](https://wordpress.org/support/topic/security-flaw-in-version-3/security@wordpress.org?output_format=md)
 * These things should not be discussed publicly. That’s how hacks and vulnerabilities
   are spread publicly, thus endangering everyone else on the platform.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security flaw in version 3’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 2 participants
 * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/)
 * Last activity: [15 years, 9 months ago](https://wordpress.org/support/topic/security-flaw-in-version-3/#post-1598509)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics