Protecting WordPress Login Credentials From FireSheep

There’s been a lot of hype around a new tool that was released not too long ago called FireSheep. In a nutshell, FireSheep is an extension for FireFox that monitors the airwaves of public Wi-Fi to sniff out login credentials to popular websites such as, self-hosted WordPress installations, Twitter, Facebook, and more. Once those credentials have been located, FireSheep makes it easy for you to use them in order to gain access to someones account. In all actuality, this vulnerability is nothing new and has been around since the days wireless access was created. The only way to protect yourself from this vulnerability is to use an encrypted connection between your machine and the web server. This is typically handled via SSL.

If you want to protect your credentials for your self hosted WordPress installation, the following Codex article, Administration Over SSL is a good start. I’ve also learned thanks to Otto that the WordPress app for iPhone is also at risk from having credentials sniffed out because the app uses the XML-RPC protocol. Even using the app over 3G instead of Wi-Fi does not protect the data from sniffing.

We have a thread ongoing within the Tavern forum talking about FireSheep and data sniffing in general. As Otto points out, when in doubt, use encryption.


10 responses to “Protecting WordPress Login Credentials From FireSheep”

  1. Think you might have misread me there. Using the WordPress app over 3G is fairly unlikely to get sniffed. So actually I’d say you’re probably safe there. It’s one of those “it’s possible if you’re a hacker who is presenting how to do it at DefCon” type of things.

    I just don’t want anybody to get the impression that XML-RPC is insecure. It’s the traffic that is non-encrypted. XML-RPC is just the protocol being used, and yes, it has your credentials sent along with it.

    WiFi is simply insecure in general. Public WiFi even more so.

  2. Just as an additional recourse, and in the odd case where setting up a secure connection is a no-go, I would additionally suggest looking into the stopgap alternative of Semisecure Login Reimagined. It’s not enough to thwart e.g. session hijacking type attacks, but it’s still way better than nothing.

  3. @Otto: How does FireSheep impact someone who uses a VZW broadband modem as their internet connection? Is that type of connection vulnerable to FireSheep as well?

  4. Actually, as I mentioned in the forum post there are easier ways to protect yourself. Setting up a site to use SSL for admin login in WordPress is quite the pain. It’s easier to just install some helpful (and free) WordPress plugins.

    One is “Semi-Secure Login Reimagined” (free in the WP Plugin repository). It encrypts your WP password on login WITHOUT using SSL at all.

    Login Lockdown is another great free plugin, that locks out people using bad usernames or trying to login unsuccessfully multiple times.

    If you’re on public wifi the free “One-Time Password” plugin is a great way to login with a disposable password, and not have to worry about security at all.

    The most important thing is to know that you should be conscious of security, change your web control panel and WP logins every 30 days, and use 12 digit STRONG passwords – like the ones randomly generated from

  5. @John Pratt – It’s worth noting that theft of your password isn’t the problem here. It’s theft of cookies. Firesheep doesn’t grab your password going over the wire, it grabs your authentication cookie and lets the attacker easily duplicate it, thus pretending to be you.

  6. @Jeffro – a LOT of people don´t change their password every 30 days, and that is why I get 2-3 ¨hacked blog¨ clients each week. I get malware clients, people hacked through WP plugins, people hacked through db sql injection, people hacked through themes or image uploads, people hacked through outdated software installed in the same domain, and more – ALL the time!

    I can´t tell you how many people keep their web control panel login passwords the same for YEARS, and they wonder why all their sites get hacked. What happens if somebody is deliberately sniffing your host for passwords for months – and then they sell the logins to hackers?

    Even online banking forces password resets, but most web control panels don´t – unless the company has had a security problem or breach (and by then it´s too late).

    Your web site is your work – protect it. I have told clients HUNDREDS of times – you have a deadbolt on the front door of your house you lock each night, and keyless entry to all your cars, why are you leaving all the doors and windows wide open 24/7 on your web site home?

  7. None of the WordPress plugins above protect you at all from firesheep or session hijacking at all, and yes SSL is the only way that you can be relatively assured that your connection is secure and also that you are talking to the site that you think you are. SSL validates the identity of the server as well as encrypting the connection.

    However, trusting the router to deliver you to the right server is a bit easier than trusting everyone on your public network not to be snooping your session to hijack it, and once it’s hijacked, they can easily enough change your password to lock you out! If you don’t have SSL, at the least, you can create a user with limited privileges so that you can post to your website from a public place – just remember to change the owner of the post later to something that this username can’t trash. Then, worst case, some mean snooper could flood your site with nasty posts and deface it a bit, but without actually damaging anything existing there. And they can’t lock you out of your admin account.

    Don’t ever use an admin account on a public network *even with SSL* as it too can be cracked with enough work and enough packets going back and forth.

  8. Now that I understand better what FireSheep does, I agree – most of those plugins won’t help. All but one. You can STILL use the “One Time Login” plugin, and it will project you from FireSheep – because it’s only good for logging in one time. Even if firesheep hijacked your login authentication cookie – that login is only good for logging in ONE TIME. I agree as well, you should never login using your admin wordpress account over public wifi.

  9. @John Pratt – That’s actually not true either — One Time Login is pretty much useless against Firesheep. After that one login, you’ll have the same authentication cookies for the duration of the session.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: