Hacked using WP Lost Password?

A Saudi guy was trying to hack my website... Of-course, due to my knowledge of security, his attempts were not successful. But he reminded me of the method, thus I am posting it to help other Wordpress users to secure their blogs.

Simply he tries to reset the password using wordpress lostpassword function.. I will not post the details of the method, so people don't try it on other blogs..

However, if you maintain a wordpress blog, you can disable the function using a simple plugin:

<?php

/\*

Plugin Name: Disable Lost Password Feature

Plugin URI: 

Description: This is a plugin to disable Lost password feature in wordpress. I have found this plugin online and I can't recall the source or the author.

Author: Unknown, Posted by Ali Almahdi

Version: 0.1

Author URI: 

\*/

function disable\_password\_reset() { return false; }

add\_filter ( 'allow\_password\_reset', 'disable\_password\_reset' );

function remove\_password\_reset\_text ( $text ) { if ( $text == 'Lost your password?' ) { $text = ''; } return $text;  }

function remove\_password\_reset() { add\_filter( 'gettext', 'remove\_password\_reset\_text' ); }

add\_action ( 'login\_head', 'remove\_password\_reset' );

function remove\_password\_reset\_text\_in ( $text ) { return str\_replace( 'Lost your password</a>?', '</a>', $text ); }

add\_filter ( 'login\_errors', 'remove\_password\_reset\_text\_in');

?>

Upload to plugins directory and enable in the plugins... This will protect you from lost-password attacks.