The wordpress.com login mechanism is not secure!
[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securely]
Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.
Why ? Because the login information is still posting to a non-secure http:// location.
What does this mean ?
Consider :
- your login name and password are sent in plain text, not encrypted.
- there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be very technically savvy.
Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :
<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php" method="post">
Shouldn’t the action be to https://wordpress.com/wp-login.php ??
Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.
“Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.
I found this suprising.
For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.
An Cuasán 
I have reported this to wordpress, as I’ve just tried it again and it’s still unsecure.
I captured some data from the transfer from when I hit the ‘login’ button on the page.
log=my-fake-user-name&pwd=top+secret&testcookie=1&submit=LoginHTTP/1.1 200 OK
Vary: Cookie
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
I never received a response from wordpress.
I have re-checked their landing page over the last few months, and indeed the login form is deferring to a secure location via a HTTP POST to a HTTPS URI.