[wp-hackers] Changing wordpress.org Passwords

Beau Lebens beau at dentedreality.com.au
Mon Dec 13 21:07:08 UTC 2010


I just had a friend as me how he should change his wordpress.org
password, because it was compromised as part of the Gawker hacking[1]

I assumed he was being lazy, but checked anyway -- it's surprisingly
difficult/inconsistent to do anything user-account related with
wordpress.org (the website) users.

Currently there are 4 different experiences (at least):

1. http://wordpress.org/extend/plugins/ --> once logged in, click your
name and goes to e.g.
http://wordpress.org/extend/plugins/profile/beaulebens

2. http://wordpress.org/extend/themes/ --> doesn't carry cookie over
from /plugins/. once you log in again, clicking your username (doesn't
show your display name like /plugins/ does) goes to
http://wordpress.org/extend/themes/profile/beaulebens (different
profile page)

3. http://wordpress.org/support/ --> shows your display name + a link
to "View your profile". Clicking that link goes to
http://wordpress.org/support/profile/beaulebens (*another* different
profile page). From here there's actually a link ("Edit") that allows
you to change your password. That's the only one I could find.

4. Check out a plugin (e.g.
http://wordpress.org/extend/plugins/wickett-twitter-widget/) and click
one of the author links; goes to http://profiles.wordpress.org, which
doesn't allow you to modify your password anywhere that I can find.

http://profiles.wordpress.org/users/beaulebens/ seems to be the most
full-featured profile system currently. It shows plugins, themes and
forum contributions, in addition to Trac mentions. My suggestion would
be to include the ability to modify your password there, then change
all links (/support/, /plugins/ and /themes/) to point over to that
profile page.


Beau


[1] http://www.huffingtonpost.com/2010/12/12/gawker-hack-hacked-databa_n_795613.html


More information about the wp-hackers mailing list