Yesterday, I believe someone tried unsuccessfully to gain administrative WordPress access to this site using an old or ineffective ploy.

They registered a user called “admin” and then requested the system to change this users password several times perhaps in hopes it would change the WordPress default administrators password, also named “admin.” I’ve renamed the WP administrator so it wouldn’t have worked in any case. The email given for user registration was “icanhascheckmate (at) yahoo.com” which makes it seem more like a ploy rather then just someone screwing around.

Their admin user never had access above subscriber.

As a precaution I’ve changed my administrators password, deleted the false “admin” user and set the parameter to “no” for the “Anyone can register” option.

Anyone hear of this one before?

Update: It turns out this isn’t an old ploy but in fact a new security weakness for which WordPress 2.6.2 has just been released. Per WP 2.6.2 release notes:

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

WordPress 2.6.2 is a critical release for those who allow registration on your blog…at this point I do not.

Comments are closed.