Had an issue with people attempting password resets against one of my wordpress instances, when it’s something I’ll literally never require.
Since it’s running on Apache, I decided to use mod_security to implement, blocking and alerting with ease.
SecRule REQUEST_FILENAME "wp-login.php" "id:'400002',chain,deny,log,msg:'Password reset form attempt'"
SecRule ARGS:action "@contains lostpassword"
This is really simple, and nukes the ability for people to reset the password - and easy to remove if someone does have to do it :)
Update 2018-03-31…. the reality of making it work is slightly longer, since I recently had to do it again myself, here goes:
- To install it, run:
sudo apt-get install libapache2-mod-security2 - The lines above go in the file
/etc/modsecurity/block_wordpress_password_reset.conf - Once you’ve done that, you’ll need to enable mod_security - copy the default config file to a production one (
sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}) - Find this line:
SecRuleEngine DetectionOnlyand change it toSecRuleEngine Onto enable enforcement. - Enable the module (
sudo a2enmod security2) and - Once you’ve restarted apache
sudo service apache2 restart. You should be all good to go!
There’s a good article on DigitalOcean’s tutorials page about enabling it here.