ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

WordPress 2.8.3 Security Fix: Admin Password Reset

Last Updated on by

Just found out about a potentially annoying WordPress 2.8.3 security issue. Basically, anyone can reset your admin password without any confirmation. This could be a major annoyance if someone decides to reset your admin password constantly.

I just tested this (on one of my own test blogs, of course) and it actually works. After anyone visits the URL, it sends the new password to your e-mail address. If you’re in the middle of doing something in your admin panel, you may have to login again.

Luckily it’s just a one line fix, which you might want to implement if some annoying person thinks it’s funny to reset your password. WordPress 2.8.3 was just released a little more than a week ago. Do I hear a WordPress 2.8.4 coming soon?

If this happens to you, and for some reason you don’t receive an e-mail with the new password and find you can’t login to your blog, you might want to look into resetting your WordPress password through phpMyAdmin.

About

Leland Fiegel was the original founder of ThemeLab. He is a web developer who loves WordPress and blogging.

  • http://DotPunch.com RandallB.

    Oh Joy now I get to worry about this?

    Very interesting that they would do not make sure for something like this.

  • Leland

    @RandallB: These kinda things happen sometimes. Since this is an open source project, anyone can find and fix these problems. Hopefully an official fix will be released soon.

  • http://www.julierene.com Detoam

    Thank You for the tip. One of my blogs was recently hacked in. Strangely all that someone did was create a few posts. Still can’t figure out why.

  • Leland

    @Detoam: No problem. Sorry to hear your blog was hacked. Are you sure all they did was create a few posts? Do you know how they hacked in the first place?

  • http://www.detoam.com Detoam

    @Leland
    I never did figure out how they hacked in, but yeah all they’ve done was make a few posts. I ended up reinstalling the blog completely to make sure I removed all that I might have missed.