Blocking WordPress password resets

Had an issue with people attempting password resets against one of my wordpress instances, when it’s something I’ll literally never require.

Since it’s running on Apache, I decided to use mod_security to implement, blocking and alerting with ease.

SecRule REQUEST_FILENAME "wp-login.php" "id:'400002',chain,deny,log,msg:'Password reset form attempt'"
SecRule ARGS:action "@contains lostpassword"

This is really simple, and nukes the ability for people to reset the password - and easy to remove if someone does have to do it :)


Tags: wordpress apache security