Secure WordPress login without HTTPS

Do you access a WordPress installation on a web server without HTTPS? If so, your passwords are sent in plaintext every time you login, register for accounts, add new users through the admin interface, and change user passwords.

Unfortunately, if you use a professional web host, there is a good chance that you are stuck in a situation where you use WordPress for your blog or website but cannot use HTTPS to secure your access to your WordPress installation. This can be caused by anything, such as: HTTPS is simply not offered, HTTPS costs quite a bit extra to have enabled, your WordPress installation is in a shared hosting environment, or multiple domains you own are tied to your hosting account in a way that complicates the issuing of certificates and setup of HTTPS.

Fortunately, there is a solution (actually, one of many) for WordPress fans to improve the sending of passwords over HTTP.

Semisecure Login Reimagined is a plugin for WordPress that implements client-side (browser-side) encryption in JavaScript, complete with the use of nonces to prevent against replay attacks (note that this plugin is NOT designed to necessarily protect against session hijacking). My installation instructions are at the bottom of this post.

Plugin Details:
About link: WordPress Plugins Directory/Semisecure Login Reimagined
Requires WordPress version: 2.7 or higher
Tested with WordPress version: 2.8.6 by me
Plugin homepage link: Moggy’s Website/Semisecure Login Reimagined v3
Author homepage link: Moggy

Description of plugin from the WordPress plugin directory:

“Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.”

Automatic installation instructions:

  1. Login to your WordPress installation through the admin interface as one of your administrator-privileged users (http://your-site-url-here/wp-admin/), and be sure to do this from a trusted, non-public Internet connection, on a private network and not over a wireless connection.
  2. Click on Plugins on the left navigation bar.
  3. With Plugins selected, there should now be an Add New link just beneath Plugins in the left navigation bar. Click on Add New just beneath the word Plugins.
  4. On the Install Plugins page under Search, be sure that Term appears in the drop-down (else click the drop-down arrow and select Term) and then enter in the search box to the right of Term “semisecure login reimagined” exactly as shown (but without the quotes). Click Search Plugins.
  5. In the search results, Semisecure Login Reimagined should appear. All the way on the right-side of that result should be an Install link. Click on Install.
  6. In the box that appears, click on the (red) Install Now button.
  7. On the results page, click on Activate Plugin. You now have secure login wherever available, but we can do better (so keep reading the following steps).
  8. Click on Plugins on the left navigation bar.
  9. Under Semisecure Login Reimagined, click Settings to edit that plugin’s settings.
  10. Note the Wikipedia quote stating, “RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.” In the Number of bits drop-down, select the number of bits you wish for the encryption to use. 1024 is the default (faster performance) but is likely to be easily-crackable by the end of 2010, 2048 is considerably /better at present, and 3072 might be even better (but will have slower performance). You should pick what you feel most comfortable with, or if you are unsure and this is for a blog that you and possibly a few others manage I would recommend picking 2048 for better security and a slight performance decrease (only during authentication).
  11. Click the Generate Key button.
  12. Click Misc Settings up near the top of the page.
  13. Check the box next to Encrypt passwords when managing users?. Congratulations! Now not only are your initial login passwords encrypted, but also passwords entered when adding new users, changing passwords, etc.
  14. (If you experience problems logging in, likely due to caching issues, set the Nonce setting to Asynch (Ajax). Otherwise, you can probably just leave this setting as-is.)
  15. Click the Update Options button.

Log out, log back in, and on the login page you should see a little message stating, “Semisecure Login is enabled,” just below the Password entry box. Congratulations, your passwords are no longer being sent in plaintext!

If you like this tutorial, please share it with others, link to this post, and let me know!

Leave a Reply

Your email address will not be published. Required fields are marked *