Protect your WordPress login

Update: This post is outdated. We now offer SSL certificates for free to all customers, and recommend that you make your entire WordPress blog use SSL (rather than just making the dashboard SSL using the FORCE_SSL_ADMIN trick described below).

Do you login to your WordPress blog securely? Are your username and password encrypted so that “hackers” can’t steal them and then break into your blog? (Probably not!)

By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.

You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.

Traditionally, only online stores used SSL certificates because they were very expensive. But SSL certificate prices have dropped quite a bit recently, and they’re now low enough that we think SSL certificates should be widely used to protect all logins and other sensitive data.

If you are a Tiger Technologies customer, you can get an SSL certificate for a great price. (One type of certificate, a “self-signed certificate”, is even free if you’re already on our Gold or Platinum hosting plans.) If you’re not a Tiger Technologies customer, you can search for companies selling SSL certificates or search for free self-signed certificates.

Configuring WordPress

Once you have an SSL certificate installed on your site, it’s easy to configure WordPress to use secure logins. Simply add this line anywhere to your wp-config.php file (after the opening “<?php” line):

define('FORCE_SSL_ADMIN', true);

This will ensure that your username and password are submitted to WordPress securely; all of your subsequent work (creating posts, etc) will be secure as well. You’ll see your Web browser’s “padlock” icon when you are using a secure connection. The WordPress “Administration Over SSL” page has more details.

10 Comments

  1. I used to use htpasswd on wp-admin directory and wp-login.php as well. adding extra security. not the best method, but it helps.

  2. on Thursday, May 27, 2010 at 11:15 pm (Pacific) y wrote:

    I used to use htpasswd on wp-admin directory and wp-login.php as well. adding extra security. not the best method, but it helps.

    I hate to break it to you, but htpasswd is transmitted in the clear. So they can just as easily easily get the htpasswd as they can your wordpress password.

  3. This is actually an interesting point. “y” wrote that he or she had added Web page “htpasswd” protection (aka “HTTP password authentication“) to the wp-admin directory and wp-login.php “as well”.

    If “y” meant “as well as protecting the site by SSL”, then that actually is secure: the HTTP password is encrypted, too, as long as you use “https://…” to access the site.

    But if “y” meant “as well as using the WordPress password”, then “z” is right: Both the HTTP authentication password and the separate WordPress password would be transmitted as plaintext.

    There are really two separate things going on here, though. SSL security protects against eavesdroppers, but an extra level of password protection defends against a different kind of WordPress attack: a “script vulnerability”, or security bug in WordPress itself.

    Imagine that a hacker discovers that the “wp-login.php” script contains a bug. This hypothetical bug allows anyone to login to any WordPress site as an administrator by simply typing “Mr. Bun” as the password. SSL won’t protect you against a bug like that, but adding an extra level of HTTP authentication password protection, especially if it uses a different password, will stop the hacker from even connecting to wp-login.php in the first place. That way the bug can’t be exploited.

    Although the example we gave above about a simple bug in wp-login.php sounds silly, earlier versions of WordPress actually did have subtler, more complex bugs in wp-admin or wp-login.php that allowed attackers to take over a blog. Using HTTP password authentication for wp-admin and wp-login.php protected site owners against at least two of these bugs.

    If you’re concerned about this (and you probably should be — we’re concerned about it on our own blog), using an extra password (or similar mechanism like access control by IP address) and SSL security is the best way to go. The extra password protects you against bugs in WordPress, and the SSL encryption separately makes sure that nobody can intercept any of the passwords, even if you’re on an insecure public Internet connection.

  4. It really a big help to us….It can protect our blog by installing an SSL certificate and configuring WordPress to require secure logins.. adding extra security. Thanks to your informative article more power to your site! G-d bless 😉

  5. Is SSL THE best way to protect your site, as you do get other plugins that you can install.???

  6. If you really want to use HTTP password authentication and can’t use SSL, you should at least try to use digest authentication. The bad guys can still see your WordPress password and everything else you submit, but they can’t get the digest authentication password itself.

  7. @Wasim Ismail – Using SSL encrypts data being transmitted. The point of this blog post was that usernames and passwords are being sent as plain text during the WordPress admin login process. Forcing SSL, or HTTPS, as the protocol is just part of securing the administrative area of WordPress, but it’s a very good start.

  8. That’s right — using SSL is the right way to encrypt your WordPress username and password when you login.

    There may be plugins that add certain security features, but they won’t be able to protect your username and password. SSL is definitely the right way to go. (It protects your username and password all the way from your browser, over your laptop’s WiFi connection, over the Internet, and all the way to the Web server.)

  9. Very useful article as always here on Tigertech. Ordered SSL today for secure admin login. Facebook require also SSL if you plan to setup a fanpage as well.

    One thing I am unsure about. Do I need to include “see below” with use of the free private SSL coming with Gold Plan?

    if ($_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’)
    $_SERVER[‘HTTPS’]=’on’;

    Refer to http://codex.wordpress.org/Administration_Over_SSL

    Using a Reverse Proxy
    If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).

    Example
    define(‘FORCE_SSL_ADMIN’, true);
    define(‘FORCE_SSL_LOGIN’, true);
    if ($_SERVER[‘HTTP_X_FORWARDED_PROTO’] == ‘https’)
    $_SERVER[‘HTTPS’]=’on’;

  10. Jessica: we don’t put sites behind a reverse proxy, so you don’t need to do anything beyond defining “FORCE_SSL_ADMIN” or “FORCE_SSL_LOGIN” as desired. But please check your email because we had a question about your SSL order.