Protecting WordPress Login Credentials From FireSheep

There’s been a lot of hype around a new tool that was released not too long ago called FireSheep. In a nutshell, FireSheep is an extension for FireFox that monitors the airwaves of public Wi-Fi to sniff out login credentials to popular websites such as WordPress.com, self-hosted WordPress installations, Twitter, Facebook, and more. Once those credentials have been located, FireSheep makes it easy for you to use them in order to gain access to someones account. In all actuality, this vulnerability is nothing new and has been around since the days wireless access was created. The only way to protect yourself from this vulnerability is to use an encrypted connection between your machine and the web server. This is typically handled via SSL.

If you want to protect your credentials for your self hosted WordPress installation, the following Codex article, Administration Over SSL is a good start. I’ve also learned thanks to Otto that the WordPress app for iPhone is also at risk from having credentials sniffed out because the app uses the XML-RPC protocol. Even using the app over 3G instead of Wi-Fi does not protect the data from sniffing.

We have a thread ongoing within the Tavern forum talking about FireSheep and data sniffing in general. As Otto points out, when in doubt, use encryption.

Who is Jeff Chandler


Jeff Chandler is a WordPress guy in the buckeye state. Contributing writer for WPTavern. Have been writing about WordPress since 2007. Host of the WordPress Weekly Podcast.

There are 10 comments

Comments are closed.