This version has been upgraded to be compatible with WordPress 2.5 and is based on the original Semisecure Login plugin by James M. Allen.
IMPORTANT TECHNICAL NOTES
This plugin requires the MD5 Password Hashes plugin for WordPress 2.5 (https://wordpress.org/extend/plugins/md5-password-hashes/).
For technical reasons, users of this plugin may find they have to attempt to login to their site twice – the first login attempt will fail, the second one will succeed. The reasons for this are beyond the scope of this document. If you really want to know why this is, or if you want to fix it, see the comment headed “README – IMPORTANT NOTE” in semisecure-login.php, included with this document. A full fix for this problem requires a minor edit to WordPress code, so is recommended only for the technically inclined.
- How does this work?
- How do I know this plugin is working?
- Is this really secure?
Short answer: No, but it’s better than nothing.
Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.
- So what’s the point?
The point of this is to prevent your password from being transmitted in the “clear.” If someone is in a position where they can learn your session ID, under normal circumstances, they’d also be able to learn your password. The proper use of this plugin removes that possibility.
- How can I make my site REALLY secure?
Use SSL. This means you’ll have to have a dedicated IP (which usually costs additional money) and an SSL certificate (which is expensive for a “real” one, but if you’re just using this for your own administration purposes, a “self-signed” certificate would probably suffice). Any more detail on these two things is beyond the scope of this document.
- Upgrade for WordPress 2.5
- Bug: Fixed “headers already sent” warning when starting sessions.
- Enhancement: Added messages to the login window to indicate whether Semisecure Login is enabled and functional.
- Clarified documentation.
- Enhancement: Forced expiration of the login nonce after its one potential use. Previously, this could stick around and thus would be vulnerable to a replay attack if a session was hijacked.
- Initial Release