CASE STUDY: Password Reset Not Working

I was approached by a client who was having problem with the wordpress password reset.

The Poblem

My cient was attempting to change his password from the normal password change screen under wp-admin.  When he attempted to reset his admin user password, a new password was sent, but the new password did not work.

As a side note, his ISP had reported that certain scripts on his blog were open for vulnerabilities.

My Solution

I suspected that the blog had been hacked and the password reset was sending to some nefarious web troll.

What I did was to white-hat hack the database, and using techniques I don’t want to document here, I was able to get a new MD5 encrypted password.  I then updated the database with that password so I was able to login with an admin level password.

The next stage of the fix was to restore the wordpress code base, I took a copy of wp-config.php, backed up all of the existing files before deletingthe blog root, wp-admin and wp-includes, next I refreshed the blogs code base with a mint copy 0f wordpress 2.7 and re-installed wp-config.php.

The Outcome

The blog was back online and in full working order.  My client was happy and I am now on his blogroll.