Yesterday, WPBeginner was facing some hacker attack. It was users trying to reset the password, but thankfully they could not get the random password because the site is not using the default admin user. But nonetheless it was an annoying thing to deal with. Hackers kept trying to reset our password and we had to deal with it for six times until we added more security layers.
Update: Apparently there were some miscommunication in this post which makes the issue look a bit more frightening. The hacker must use an email or the user that is being used to reset the passwords. One of our mistake was that we used the same email we were using to respond to the questions asked by our users. Which is what probably compromised the security even more.
WordPress was reported of this security issue, and once again their quick support has released a new version with security fixes.
As said on WordPress Blog:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
We strongly recommend you to upgrade to this version of WordPress as soon as possible and avoid this issue. To upgrade, you should go to Tools > Upgrade in your Admin Panel and upgrade to WordPress 2.8.4.
Have a question or suggestion? Please leave a comment to start the discussion.