Ramblings · TechIt

Wordpress Security : User account details at risk

The wordpress.com login mechanism is not secure!

[Update, it has been addressed, pity there was no announcement, and no warning with details of how to login securely]

Even when you go to it via secure-http, at https://www.wordpress.com, the login is done insecurely.

Why ? Because the login information is still posting to a non-secure http:// location.

What does this mean ?

Consider :

  1. your login name and password are sent in plain text, not encrypted.
  2. there is the potential that anybody on your lan, at the internet-cafe, at school, work, in the airport etc can get your password. They don’t even need to be very technically savvy.

Closer analysis of the website @ https://www.wordpress.com reveals the form is set as follows :

<form name="loginform" id="loginform" action="http://wordpress.com/wp-login.php" method="post">

Shouldn’t the action be to https://wordpress.com/wp-login.php ??

Thankfully, firefox alerts me to this with a message, so at least with that browser I may be aware something is not quite right.

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.” is the message, as per the image below.

unsecure press

Image Link

I found this suprising.

For instance, here [http://wordpress.com/blog/2006/03/08/secure-blogging/] is a blog entry touting the security of WordPressfrom 2006, yet today the login is very far from secure.


4 thoughts on “Wordpress Security : User account details at risk

  1. I have reported this to wordpress, as I’ve just tried it again and it’s still unsecure.

    I captured some data from the transfer from when I hit the ‘login’ button on the page.

    log=my-fake-user-name&pwd=top+secret&testcookie=1&submit=LoginHTTP/1.1 200 OK
    Vary: Cookie
    X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

  2. Pingback: Secure Wordpress.com login « LifelongPassion
  3. I never received a response from wordpress.
    I have re-checked their landing page over the last few months, and indeed the login form is deferring to a secure location via a HTTP POST to a HTTPS URI.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s