You are here: Home / How-to / WP: Stopping Password Recovery Attacks with Mod_Rewrite

WP: Stopping Password Recovery Attacks with Mod_Rewrite

September 11, 2009 By rjamestaylor

I don’t fully know why, yet, but a cleanly installed WordPress 2.8.4 blog I have familiarity with is still being hacked with a password recovery attack. As a stop-gap until we find the actual vector of compromise I threw together the following Apache mod_rewrite rules to thwart these attacks. The downside of these rules is that now if I forget my password I’ll have to change it via direct database manipulation (which is fine with me).

I added the following snippet to the .htaccess file in my webroot (DOCUMENT_ROOT) before any other mod_rewrite sections. Warning: this is not authoritatively guaranteed to do anything, it’s just done out of frustration while the real vulnerability is identified and fixed (and it could be social engineering, plugin, system or WordPress vulnerability — I really can’t say for sure where the problem lies at this time). Without further disclaimer, here’s the snippet:


# BEGIN Block recover password
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} ^.*action=lostpassword.*$
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule ^(.*)$ /index.php? [R=301,L]

RewriteCond %{REQUEST_URI} ^/wp-login.php.*$
RewriteCond %{REQUEST_METHOD} !=GET
RewriteRule ^(.*)$ http://lmgtfy.com/?q=get+a+clue [R=301,L]

</IfModule>
# END Block recover password

You may notice I do one of two things: if you simply request the “action=lostpassword” function you’re silently redirected to my front page. But if you forcibly POST a request to recover a lost password (say using your own self-made form…it’s damn easy to do so) I insult your intelligence by sending you to Let Me Google That For You for the phrase “get a clue”. I seriously do not recommend taunting attackers, automated or not. If you just want the silent action, use this instead (RECOMMENDED):


# BEGIN Block recover password
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{QUERY_STRING} ^.*action=lostpassword.*$
RewriteRule ^(.*)$ /index.php? [R=301,L]

</IfModule>
# END Block recover password

That should hold me over until I find out what the heck is responsible for allowing turkeys to get admin control of blogs they really aren’t committed to maintaining.

Oh, send criticisms, suggestions, corrections and opinions to rjamestaylor {at} gmail {dot} com.

 

Ok… If you want to test the POST, use this form (it’s one of those “damn easy” to make forms I was talking about):

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Ping.fm
  • StumbleUpon
  • Technorati
  • Tumblr
  • TwitThis
  • Fark
  • FriendFeed
  • HackerNews
  • Posterous
  • Slashdot
Filed Under: How-to, Tech, Web

About rjamestaylor

Comments

Bad Behavior has blocked 206 access attempts in the last 7 days.