Blocking WordPress password resets

Had an issue with people attempting password resets against one of my wordpress instances, when it’s something I’ll literally never require.

Since it’s running on Apache, I decided to use mod_security to implement, blocking and alerting with ease.

SecRule REQUEST_FILENAME "wp-login.php" "id:'400002',chain,deny,log,msg:'Password reset form attempt'"
SecRule ARGS:action "@contains lostpassword"

This is really simple, and nukes the ability for people to reset the password - and easy to remove if someone does have to do it :)

Update 2018-03-31…. the reality of making it work is slightly longer, since I recently had to do it again myself, here goes:

  • To install it, run: sudo apt-get install libapache2-mod-security2
  • The lines above go in the file /etc/modsecurity/block_wordpress_password_reset.conf
  • Once you’ve done that, you’ll need to enable mod_security - copy the default config file to a production one (sudo cp /etc/modsecurity/modsecurity.conf{-recommended,})
  • Find this line: SecRuleEngine DetectionOnly and change it to SecRuleEngine On to enable enforcement.
  • Enable the module (sudo a2enmod security2) and
  • Once you’ve restarted apache sudo service apache2 restart. You should be all good to go!

There’s a good article on DigitalOcean’s tutorials page about enabling it here.

#wordpress #apache #security