Patch for Wordpress Remote Admin Reset Password Vu

2019-08-02 10:37发布

问题:

The vulnerability is documented here. The patch is supposedly a 1-line replace as documented here in line 190 of branches/2.8/wp-login.php - the new patch should look this (check line 118) - my question is - is this patch enough? If not, any suggestions?

回答1:

As I understand it, the patch closes that particular hole. However, another basic security measure I take on every WP site I administrate is to delete the "admin" user, and ideally never have any users' usernames be the same as their display names. That doubles the security in that bad guys have to guess the usernames, as well as figure out a way to hack the passwords.

There are a lot of additional security measures you can find by doing a search on WordPress + security, but I have stuck with changing usernames, altering the db table names on install, and basic permissions stuff. That's worked well so far, without the ton of additional upkeep necessary during WP upgrades that some of the more intense security measures require.



回答2:

Yes, this is a very good patch for the Wordpress vulnerability.

if ( empty( $key ) || is_array( $key ) )
    return new WP_Error('invalid_key', __('Invalid key'));

This is NOT SQL Injection, if it was then you could dump the entire table of users. Changing your name is not a very good security measure. Keeping your code up to date is what you must always do, or you will be hacked.