I’ve come realize that WP login is quite insecure even though most all browsers have built in support for digest authentication.
Possibly my understanding is wrong but from what little explanation exists on the WP plugins pages it seems that the subject plugin does NOT affect the login, on the wire, protocol used by WP. In that, it only involves storing passwords in the WP/DB such that other applications can do digest authentication. While this is a nice idea it doesn’t help to improve the security associated with WP logins.
Wouldn’t it be better if the WP login were changed to utilize digest authentication. I think the PHP PEAR Auth package provides the means to do this with PHP and would allow it to be done without needing to author any client side code. In that, by invoking the built in HTTP digest authentication supported by most browsers you would substitute display of the standard WP login page for the browser’s authentication dialog and allow for more secure login.
Possibly I misunderstand what wp-http-digest does and would appreciate being enlightened.
- The topic ‘Is wp-http-digest plugin only a partial solution?’ is closed to new replies.