- Upload the entire
semisecure-login/directory to the
- Activate the plugin through the ‘Plugins’ menu in WordPress
How does this work?
How do I know this plugin is working?
Is this really secure?
Short answer: No, but it’s better than nothing.
Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.
So what’s the point?
The point of this is to prevent your password from being transmitted in the “clear.” If someone is in a position where they can learn your session ID, under normal circumstances, they’d also be able to learn your password. The proper use of this plugin removes that possibility.
How can I make my site REALLY secure?
Use SSL. This means you’ll have to have a dedicated IP (which usually costs additional money) and an SSL certificate (which is expensive for a “real” one, but if you’re just using this for your own administration purposes, a “self-signed” certificate would probably suffice). Any more detail on these two things is beyond the scope of this document.
Contributors & Developers
“Semisecure Login” is open source software. The following people have contributed to this plugin.
- Bug: Fixed “headers already sent” warning when starting sessions.
- Enhancement: Added messages to the login window to indicate whether Semisecure Login is enabled and functional.
- Clarified documentation.
- Enhancement: Forced expiration of the login nonce after its one potential use. Previously, this could stick around and thus would be vulnerable to a replay attack if a session was hijacked.
- Initial Release