How secure is wp-login (with HTTP POST) + cross-domain login (3 posts)

  1. Ella Iseulde Van Dorpe
    Posted 2 years ago #

    As far as I can see user credentials entered on wp-login.php are just sent with an HTTP POST request. Does WordPress do anything else to make logging in more secure?

    If credentials are just sent with a plain text HTTP POST request, then sending this information from a different domain is the same, right? So with a shared user table I could just log the user in on both domains. Is this in any way less secure?

    I'm not asking if it's the most secure way, just wondering if it's as secure as logging in on a WordPress install without SSL enabled. WordPress.org and WordPress.com don't use SSL either...

    [ Moderator note: duplicate topic deleted. You are already in the correct place for this question. ]

  2. Give this Codex article a read, it may help you get a handle on using SSL.


    This may also help you with hardening your WordPress installation.


    And if you're really concerned with someone brute force hacking your login (and that's a valid concern too especially if you're not using a good login/password combination) give these a read as well.


  3. Ella Iseulde Van Dorpe
    Posted 2 years ago #

    Hey Jan,

    Thanks for your response, but I wasn't really asking about how to use SSL or about brute force attacks. I'm just wondering if sending a post request with the username and password to a different domain is as secure as the same post request to the same domain, just like it now happens in a normal WordPress install.

    Most WordPress websites don't use SSL and even if you do, you're not protected from brute force attacks, right? That's a different matter.

Topic Closed

This topic has been closed to new replies.

About this Topic