Title: Login security and HTTPS
Last modified: April 7, 2017

---

# Login security and HTTPS

 *  [jambog82](https://wordpress.org/support/users/jambog82/)
 * (@jambog82)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/)
 * I have a wordpress site with no HTTPS, but I am only logging in on a secure office
   network, never over a wifi network. Am I relatively safe from having my login
   details compromised?
 * PLEASE NOTE:
    this is not a site that contains any sensitive data what so ever.
   It’s a local community website with information about upcoming events, etc. I
   anticipate it will have very little traffic.
 * I am using some basic security measures to prevent any type of brute force attacks
   such as changing the wordpress login from the default “wp-admin” URL and of course
   using unique username and password. Any other suggestions to increase security
   without using HTTPS are welcomed.
 * Also, I know you can get SSL certs for free so there is “no excuse”, but I’m 
   dealing with a cheap webhost, like $2 per month cheap, and they haven’t responded
   to any tickets I’ve submitted about installing an SSL. I’m using cPanel, but 
   the SSL/TLS Manger is not available, so apparently they deactivate this feature
   on their cPanel accounts.

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/#post-9006136)
 * > I have a wordpress site with no HTTPS
 * OK. Many people do. 😉
 * >  but I am only logging in on a secure office network, never over a wifi network.
   > Am I relatively safe from having my login details compromised?
 * If your site is only accessible from your office network and nowhere else and
   that’s the only place you can get to your WordPress site then you’re fine.
 * If your site is also accessible via the Internet then when you login to your 
   site then you may be at risk from someone snooping your login. Even if you’re
   doing that from your office, you still traverse the Internet with that login.
 * If you cannot install SSL then perhaps you want to consider configuring and using
   a two-factor authentication plugin?
 * [https://wordpress.org/plugins/search/two+factor/](https://wordpress.org/plugins/search/two+factor/)
   
   [https://wordpress.org/plugins/search/2FA](https://wordpress.org/plugins/search/2FA)
 * That way the credential you use to login will expire and not work a minute later.
 *  Thread Starter [jambog82](https://wordpress.org/support/users/jambog82/)
 * (@jambog82)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/#post-9007292)
 * Thank you. I will try using 2FA. Without HTTPS are my credentials only vulnerable
   for the second it takes to log in? Or could they still be compromised during 
   the entire time I am logged in?
 * Also, there’s no way one could obtain my SQL database password or cPanel password(
   which has HTTPS log in) should they be able to get into my wordpress site, right?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/#post-9007610)
 * > Or could they still be compromised during the entire time I am logged in?
 * Once your logged it you’re good and 2FA will help. It’s not ideal as having https
   but your only exposed while your data is in transit. Even if the 2FA code is 
   captured it will change to something else in a minute.
 * > Also, there’s no way one could obtain my SQL database password or cPanel password(
   > which has HTTPS log in) should they be able to get into my wordpress site, 
   > right?
 * As long as you’re not viewing the `wp-config.php` file or expoising your passwords
   over http (not encrypted) then you’re good.
 *  Thread Starter [jambog82](https://wordpress.org/support/users/jambog82/)
 * (@jambog82)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/#post-9007828)
 * Thank you. Very helpful and informative.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Login security and HTTPS’ is closed to new replies.

## Tags

 * [HTTPS](https://wordpress.org/support/topic-tag/https/)
 * [login](https://wordpress.org/support/topic-tag/login/)
 * [SSL](https://wordpress.org/support/topic-tag/ssl/)

 * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
 * 4 replies
 * 2 participants
 * Last reply from: [jambog82](https://wordpress.org/support/users/jambog82/)
 * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/login-security-and-https/#post-9007828)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics