6 Responses

  1. Rudd
    Rudd September 10, 2013 at 23:50 | | Reply

    Good point, never login to any public network without using safe connection. Well, alternatively you could use VPN to make sure you’ve a secure connection public network.

  2. Amanda
    Amanda September 11, 2013 at 17:28 | | Reply

    The plugin ‘Semisecure Login Reimagined’ does a bit of javascript encryption to stop the login details being sent in plain text. No longer maintained sadly but still works.


  3. James Mowery (@JMowery)
    James Mowery (@JMowery) September 12, 2013 at 18:47 | | Reply

    Unfortunately, this is a really nasty issue. Thanks, Jean, for bringing attention to it! Speaking of security, WordPress just released an important security update — WordPress 3.6.1 — that people should also upgrade to.

    It’s also worth mentioning that our team over at ManageWP takes WordPress security very seriously. We help protect against these types of attacks. We use a secure SSL connection on our site, and we also utilize OpenSSL (as opposed to a weaker XML-RPC that WordPress utilizes) for communicating with our worker plugin that connects ManageWP to each individual WordPress site. This ensures the highest level of protection possible, and could be an easy solution that handles the above situations.

    Still, if you’re out and about on a public network, definitely use a VPN, as Rudd suggested, as it will protect all your work. Personally, I use Private Internet Access — I haven’t had any issues with them and they have servers all around the world; they also work with mobile devices.

    Most importantly, always keep your sites updated! 🙂

  4. Frank
    Frank October 11, 2013 at 13:09 | | Reply

    One thing to note would be that if you do not have a SSL connection but you use two-step authentication it will still be possible to get hacked by someone sniffing your login data, as they can also see the authenticator token you enter.
    This is only possible if the hacker is really quick, as the token expires quickly, but it is possible.

  5. Miles Gilmour
    Miles Gilmour January 27, 2014 at 05:09 | | Reply

    I’ve found that Yubikey (or similar) – which is a very simple physical device that emulates a USB keyboard and generates a one time password – is a great way to circumvent this threat.

    Yubikey offer a WordPress plugin and you can configure it so only the admin user needs to use it, other users with lower access levels can login with just username/password.

  6. Dan
    Dan May 3, 2014 at 05:08 | | Reply

    consider also, someone could have temporarily had admin access at any wordpress site on your server / cpanel installation, then used php glob(“../*”) to find your other sites and inject password sniffers at site-level so your password could be compromised on any of the sites on your server without even needing to be on a network with other hackers. btw, i’ve done this before and it’s amazing how often it works.

Leave a Reply