10 Comments


  1. Think you might have misread me there. Using the WordPress app over 3G is fairly unlikely to get sniffed. So actually I’d say you’re probably safe there. It’s one of those “it’s possible if you’re a hacker who is presenting how to do it at DefCon” type of things.

    I just don’t want anybody to get the impression that XML-RPC is insecure. It’s the traffic that is non-encrypted. XML-RPC is just the protocol being used, and yes, it has your credentials sent along with it.

    WiFi is simply insecure in general. Public WiFi even more so.


  2. Just as an additional recourse, and in the odd case where setting up a secure connection is a no-go, I would additionally suggest looking into the stopgap alternative of Semisecure Login Reimagined. It’s not enough to thwart e.g. session hijacking type attacks, but it’s still way better than nothing.


  3. @Otto: How does FireSheep impact someone who uses a VZW broadband modem as their internet connection? Is that type of connection vulnerable to FireSheep as well?


  4. Actually, as I mentioned in the forum post there are easier ways to protect yourself. Setting up a site to use SSL for admin login in WordPress is quite the pain. It’s easier to just install some helpful (and free) WordPress plugins.

    One is “Semi-Secure Login Reimagined” (free in the WP Plugin repository). It encrypts your WP password on login WITHOUT using SSL at all.

    Login Lockdown is another great free plugin, that locks out people using bad usernames or trying to login unsuccessfully multiple times.

    If you’re on public wifi the free “One-Time Password” plugin is a great way to login with a disposable password, and not have to worry about security at all.

    The most important thing is to know that you should be conscious of security, change your web control panel and WP logins every 30 days, and use 12 digit STRONG passwords – like the ones randomly generated from http://www.strongpasswordgenerator.com.


  5. @John Pratt – Who really changes their passwords every 30 days? The more sane thing to do would be to use a different, strong password for every login.


  6. @John Pratt – It’s worth noting that theft of your password isn’t the problem here. It’s theft of cookies. Firesheep doesn’t grab your password going over the wire, it grabs your authentication cookie and lets the attacker easily duplicate it, thus pretending to be you.


  7. @Jeffro – a LOT of people don´t change their password every 30 days, and that is why I get 2-3 ¨hacked blog¨ clients each week. I get malware clients, people hacked through WP plugins, people hacked through db sql injection, people hacked through themes or image uploads, people hacked through outdated software installed in the same domain, and more – ALL the time!

    I can´t tell you how many people keep their web control panel login passwords the same for YEARS, and they wonder why all their sites get hacked. What happens if somebody is deliberately sniffing your host for passwords for months – and then they sell the logins to hackers?

    Even online banking forces password resets, but most web control panels don´t – unless the company has had a security problem or breach (and by then it´s too late).

    Your web site is your work – protect it. I have told clients HUNDREDS of times – you have a deadbolt on the front door of your house you lock each night, and keyless entry to all your cars, why are you leaving all the doors and windows wide open 24/7 on your web site home?


  8. None of the WordPress plugins above protect you at all from firesheep or session hijacking at all, and yes SSL is the only way that you can be relatively assured that your connection is secure and also that you are talking to the site that you think you are. SSL validates the identity of the server as well as encrypting the connection.

    However, trusting the router to deliver you to the right server is a bit easier than trusting everyone on your public network not to be snooping your session to hijack it, and once it’s hijacked, they can easily enough change your password to lock you out! If you don’t have SSL, at the least, you can create a user with limited privileges so that you can post to your website from a public place – just remember to change the owner of the post later to something that this username can’t trash. Then, worst case, some mean snooper could flood your site with nasty posts and deface it a bit, but without actually damaging anything existing there. And they can’t lock you out of your admin account.

    Don’t ever use an admin account on a public network *even with SSL* as it too can be cracked with enough work and enough packets going back and forth.


  9. Now that I understand better what FireSheep does, I agree – most of those plugins won’t help. All but one. You can STILL use the “One Time Login” plugin, and it will project you from FireSheep – because it’s only good for logging in one time. Even if firesheep hijacked your login authentication cookie – that login is only good for logging in ONE TIME. I agree as well, you should never login using your admin wordpress account over public wifi.


  10. @John Pratt – That’s actually not true either — One Time Login is pretty much useless against Firesheep. After that one login, you’ll have the same authentication cookies for the duration of the session.

Comments are closed.