Login security and HTTPS

jambog82
(@jambog82)

9 years, 2 months ago

I have a wordpress site with no HTTPS, but I am only logging in on a secure office network, never over a wifi network. Am I relatively safe from having my login details compromised?

PLEASE NOTE:
this is not a site that contains any sensitive data what so ever. It’s a local community website with information about upcoming events, etc. I anticipate it will have very little traffic.

I am using some basic security measures to prevent any type of brute force attacks such as changing the wordpress login from the default “wp-admin” URL and of course using unique username and password. Any other suggestions to increase security without using HTTPS are welcomed.

Also, I know you can get SSL certs for free so there is “no excuse”, but I’m dealing with a cheap webhost, like $2 per month cheap, and they haven’t responded to any tickets I’ve submitted about installing an SSL. I’m using cPanel, but the SSL/TLS Manger is not available, so apparently they deactivate this feature on their cPanel accounts.

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

9 years, 2 months ago

I have a wordpress site with no HTTPS

OK. Many people do. 😉

but I am only logging in on a secure office network, never over a wifi network. Am I relatively safe from having my login details compromised?

If your site is only accessible from your office network and nowhere else and that’s the only place you can get to your WordPress site then you’re fine.

If your site is also accessible via the Internet then when you login to your site then you may be at risk from someone snooping your login. Even if you’re doing that from your office, you still traverse the Internet with that login.

If you cannot install SSL then perhaps you want to consider configuring and using a two-factor authentication plugin?

https://ww.wp.xz.cn/plugins/search/two+factor/
https://ww.wp.xz.cn/plugins/search/2FA

That way the credential you use to login will expire and not work a minute later.

Thread Starter jambog82
(@jambog82)

9 years, 2 months ago

Thank you. I will try using 2FA. Without HTTPS are my credentials only vulnerable for the second it takes to log in? Or could they still be compromised during the entire time I am logged in?

Also, there’s no way one could obtain my SQL database password or cPanel password (which has HTTPS log in) should they be able to get into my wordpress site, right?

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

9 years, 2 months ago

Or could they still be compromised during the entire time I am logged in?

Once your logged it you’re good and 2FA will help. It’s not ideal as having https but your only exposed while your data is in transit. Even if the 2FA code is captured it will change to something else in a minute.

Also, there’s no way one could obtain my SQL database password or cPanel password (which has HTTPS log in) should they be able to get into my wordpress site, right?

As long as you’re not viewing the wp-config.php file or expoising your passwords over http (not encrypted) then you’re good.

Thread Starter jambog82
(@jambog82)

9 years, 2 months ago

Thank you. Very helpful and informative.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Login security and HTTPS’ is closed to new replies.

Login security and HTTPS

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics