What security does WordPress offer when it is freshly installed on the server?
Are our passwords being sent without encryption when we login?
I'm worried about logging into wp-admin without SSL. The standard wp-admin pages do not a secure connection: (https://) . The Codex mentions using administrating over SSL but there is a LOT of configuration that needs to happen on the server/host side:
You must also already have SSL configured on the server and a (virtual) host configured for the secure server before your site will work properly with these constants set to true.
Thus, I can assume most WordPress users do not use SSL or a secure browser connection. Are all our passwords being sent in clear text with no encryption? Even if my website is not hacked, but there are existing scripts running on the server (say, from other virtual websites), would they be able to capture my password when responding to the server because I don't have a secure connection?
The Security FAQ talks about making sure your host is using good security procedures, but I doubt ANY host can stay on top of all the security issues that are happening. I don't think anyone will ever be able to find a host with amazing security at a normal price. I use godaddy and really don't like my service, but other than 1and1 and some others, it is hard to find a good hosting option without paying more than $20/mo.
Obviously I use a long secure password now, but if my website has been hacked without me knowing it, couldn't the password be captured....and thus I would have to go through the entire process again of deleting the website, re-uploading, reconfiguring, re-loading the database tables? I guess I could be constantly using an external service to monitor my website files that notifies me if changes are seen, or chose to purchase a very expensive dedicated server hosting option....but these seem enterprise solutions just to keep a blog secure.
I was hacked from a plugin from a theme I was using. I had the most up to date WordPress install, but the plugin used a writeable directory (I did not change the permissions on the directory- somehow the plugin must have made it writeable). After wiping out the site and re-installing wordpress as well as my files, I was hacked again. My personal email account was accessed from Egypt right around this time and since I have a large amount of security on my personal computer, I think they were able to access my email account because I used the same password as the wordpress login.
I know using the same password as my email was a terrible choice, but everyone seems to say the same thing: "oh, you must have not have WordPress up to date". It WAS up to date- it was a small plugin as part of the "Lightword" theme that resized images.