Support » Fixing WordPress » Stranger accessing wp-login.php? action=lostpassword

  • I got this from my referrer log this morning:

    050311 06:06:23 /weblog/wp-login.php

    050311 06:06:19 /weblog/wp-login.php

    050311 06:06:01 /weblog/wp-login.php

    050311 06:04:37 /wp-login.php

    050311 06:04:27 /weblog/wp-login.php

    050311 06:04:21 /weblog/wp-login.php

    050311 06:04:16 /weblog/wp-login.php

    050311 05:59:56 /weblog/wp-login.php

    050311 05:59:38 /weblog/wp-login.php?action=lostpassword

    050311 05:59:33 /weblog/wp-login.php


    It wasn’t me nor anyone I know, that WP 1.5 install is mine and mine alone.

    I was asleep at the time of the above.

    I got 7 emails generated from WP to changed my password.

    2 of them were “Passord Lost and Changed for admin”

    The rest (5) were “Your New Password”

    Whomever it was surfed into the login page and tried to login as “admin”.

    Sure they changed my password, but they couldn’t get it … So I just had to go into phpmyadmin and reinstate my password.

    But this then raises the question — Have any of y’all ever had this happen? I’ve never seen this on any blog installations of mine, that’s WP or MT or Blogger.

    Is there a way to code the password change feature so that the system ignores it if it isn’t used … as many forums do?

    In any case, it just bugged me that someone tried that and was able to cause me to do extra stuff just to get into my WP install.

    It doesn’t make sense from my end, that someone would try this for a valid good reason. Attempting to login to my site as admin, and trying to get the password changed.

    Maybe they hacked something up, I can’t tell yet. I don’t see that as a nice reason, but I know on someone elses end they might view it as “valid”.

    So the value of going to a blog and attempting to change the admin password to login is … I don’t know.

    I’m asking to see if this has happened to anyone else, kind of rambling, sorry! Not enough coffee yet today!

Viewing 9 replies - 1 through 9 (of 9 total)
  • It looks like this is fixed in 1.5. I just tried using the ‘lost password’ link and I first need to enter my correct username and email address. (Do earlier version ask for the email address?) Once I put the correct info in it sent the following email:

    Someone has asked to reset a password for the login this site

    Login: admin

    To reset your password visit the following address, otherwise just ignore this email and nothing will happen.

    I’ve read of two other instances where attempted logging in by unauthorised persons has occurred. I don’t know if this is related to WP in anyway – my suggestion would to contact your sysadmin and let them know that someone tried to steal your login, or had succeeded so they can contact the relevant auhtorities (thoug hthey probably used several proxies in teh process).

    So for me this is third comment on such an issue, albeit all vary to some degree. It’s possible that this is related to a plugin that all three users have used, or it may be a flaw in WP – if it is a WP flaw, I would have thought the forums would be flooded with such instances, though perhaps only a few are attempting it.

    It will be interesting to see what the developer’s take on this is, but it does leave me moderately concerned.

    Ming I don’t actually get this with my own 1.5 install – so I can only assume that this is a fix added since it was first launched, in which case could a developer confirm as such and will users of 1.5 be required to redownload 1.5 of recent and upgrade their original 1.5?

    me perplexed.

    This happened on my WP 1.5 install that gets hits with spam.

    I have other WP 1.5 and 1.2 installs that do not get hit with spam.

    Just to be clear about it.

    I do know I’ve seen the “someone has asked to reset …” email before, when working with a WP 1.2 install, I think. Whatever though, it’s just that it wasn’t me doing the password changing, and all I got were the 7 emails that I referenced above.

    The IP of the ‘thing’ logged as a RIPE Moscow RU owned IP when looked up at ARIN whois and then searching the RIPE db there.

    I just checked my site and when you load wp-login.php it does provide a link to click if you have lost your password. That form then requires one to enter the User Name and the Email Address of the User to have it sent.

    The User Name and the Email Address must match the internal records.

    So how is someone outside then going in and entering ‘admin’ as user, as is easy to do if you know WP of course, and then getting any email sent to me, as I don’t have my email address listed on my WP sites. Sure they might be able to find it elsewhere online, but that’d take work.

    What I did, I tried to log in as a real user on my blog, not admin but an old user I had from importing wrong before, to login with that USER NAME and a wrong password brought up the screen that let me access the “lost password” form. [actually that link is available on the wp-login.php page too]

    When I input a wrong email address into that form I got this:

    Sorry, that user does not seem to exist in our database. Perhaps you have the wrong username or e-mail address? Try again.

    so inputting a wrong USER NAME or PASSWORD or EMAIL ADDRESS gives that same message.

    How did 7 emails, 5 that were actual new passwords generated and two that were “password changed” get sent.

    Here’s the WP Message and the EMAIL I actually just got from my site when I input for a lostpassword :

    and my real email address

    I got this result:

    The e-mail was sent successfully to admin's e-mail address.
    Click here to login!

    and THIS EMAIL:

    subj: Password Reset

    Someone has asked to reset a password for the login this site

    Login: admin

    To reset your password visit the following address, otherwise just ignore this email and nothing will happen.

    (I didn’t include the text of the links.)


    So it works right. Someone fiddled then to do something different on my site. Here’s the actual body and subj of the two kinds of emails that I had upon waking this morning:

    subj: Your New Password

    Login: admin
    Password: 822294e

    subj: Password Lost/Changed

    Password Lost and Changed for user: admin

    The first one of the two above I got 5 of, with different passwords generated.

    The second of the two above I got 2 of.

    All were very very plain and blah looking, compared to the email I do get if I truly myself do the work to get a new password.

    So I generated a new password to be sent to me, then went to login and logged in with my regular old password, no problem. I was in fine.

    So I’m not comfortable about this at all suddenly. Did someone somehow get into my site? Or not, or what?

    I mean, how could they get my password changed and me not get a real email, they bypassed the real system somehow, did something odd, something … I can’t put my finger on it, my brain is a bit fuzzy … I’m coming down with a virus and so this isn’t my best day to be confronted with this.

    I did search this forum as best I could before posting this original thread, but couldn’t come up with anything, as it’s hard to put it into words … sigh.

    It’s then like this. I got the emails of wierdom this morning. Went to my site, and couldn’t log in.

    So I fixed my password in phpmyadmin, and could get in, noticing nothing “wrong” in my WP install, so far.

    That bugs me. I couldn’t replicate that … so something weird happened, the person used something somehow to do something and it’s really bothering me more now that I’ve written all of this.

    I have several sites, all on one server. Only this ONE BLOG is affected with spam and now this weirdo thing. Urg!

    To be safe you should file a security bug report at There might be something simple we’re missing, or possibly unrelated to WordPress, but the devs can confirm that.

    Can this kind of drama be avoided by using password protection via .htaccess for the wp-admin folder?

    I don’t have a tv. WP support forum drama is all I’ve got, don’t deny me that.

    I filed a security bug report on March 11th and there is talk there about the problem and a patch and updated code in the trac.wordpress… wp-login.php.


    Moderator Mark Jaquith


    WordPress Lead Dev

    georgianlady, Thanks for bringing this issue up. I discovered the problem last night, thanks to your bug report. The problem has been solved in SVN.

    Until WordPress 1.5.1, here’s what you need to do to secure your blog against future password changes.

    Request a new password for all your WP users using the “Forgot your password?” link on the login form. Each user will get an e-mail. Do not click the link in the e-mail, just delete it. If you do this for every user, you will no longer have any problems.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Stranger accessing wp-login.php? action=lostpassword’ is closed to new replies.