Skip to content
Read For Learn
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP

Sniffing wordpress user’s credentials

The login process itself is not as important, it is a one time thing that with the right settings you can do once a year.

What is important is the authentication cookies that are being sent. As long as they are not encrypted it doesn’t matter at all how much defense you put on the login form itself, and cookies are sent every time any of the URLs of the site are being fetched.

So you either have SSL or you are not secure. There is a middle ground in wordpress in which you will automatically get HTTPS URLs for logged-in users (and the login form) but obviously you still need a certificate.

Why would anyone not use HTTPS when the threat of WiFi is known and the cost of a certificate is zero? because the cost of the “free” certificate is wasting time to configure it and administering it, and while the WiFi threat exist, no one showed it that using WiFi is less secure than having an account on Yahoo, and most people do not connect from an external Wifi to their sites. Personally I use my cellular data even when free WiFi is available.

There are also other benefit of not running a full HTTPS site, especially caching. When you do HTTPS your content can not be cached.

So yes, the industry (google) tries to make it a case of white and black but in reality it is (like most things) gray. Everyone has to asses his own security risks and compare it to the amount of work required to overcome it and make his own decision

Related Posts:

  1. Is there any way to rename or hide wp-login.php?
  2. Increase of failed login attempts, brute force attacks? [closed]
  3. How to fake a WordPress login?
  4. Brute force attack?
  5. Receiving “This content cannot be displayed in a frame” error on login page
  6. Websites defaced by uploading script using theme editor
  7. Make wordpress admin failed login attempt return 401
  8. WordPress login urls
  9. Store brute-force IP addresses
  10. How to create a private login page for admin.?
  11. WordPress Security – How to block alternative WordPress access
  12. Protecting WordPress login page
  13. wp-admin folder, brute force, and password protection
  14. disable site_url redirect in wp-login.php
  15. Does WordPress (or a plugin) reveal login credentials to admin?
  16. Is wp_login_form secure on a non secure page?
  17. Is the login encrypted before it is sent? If so how to do I encrypt it the same way?
  18. WordPress login security
  19. Why isn’t the login page rate limited by default?
  20. How can I password protect a WordPress site without requiring users to log in?
  21. Input sanitation
  22. How to Prevent Brute Force Attack on WordPress
  23. Advice on redirect to lock site from unauthorized users
  24. Where is the php file, that does the checks for login information?
  25. Error on WordPress Login
  26. Access log “POST /wp-login.php HTTP/1.0” 400
  27. force login loophole
  28. I need to find which is the file that checks the DB for correct login (username, password)
  29. How to create separate login for authors/moderators/subscribers?
  30. How to invalidate `password reset key` after being used
  31. Site is not loading after relogin attempts on SSL
  32. Some crawlers/bots attempting to login with very good guesses. How?
  33. Hide wp-login.php but not the widget
  34. How login is possible, if I deny login page via nginx?
  35. Encrypt Password in Configuration Files?
  36. I can’t access my site via wp-admin
  37. Website Visible only to Registered users
  38. How do I use add_action from a class method?
  39. I want to disable E-Mail verifcation / activation when a user signs up for my WordPress site
  40. How do I check if a post is private?
  41. Action wp_login_failed not working if only one field is filled out
  42. Display last login time
  43. how to update current logged user username
  44. Admin user getting message ‘You need a higher level of permission’
  45. How to implement Google reCaptcha without installing a plugin?
  46. Problem with logging in WP users automatically
  47. advance membership managment
  48. Logins through alias
  49. Redirect users to a front end wp login page
  50. Redirecting or displaying a message on first login
  51. wp_get_referer not working properly after wp_redirect
  52. Login Button CSS
  53. Force Users to Login – loop problem
  54. I want to disable login of admin (/wp-admin) with email and make it accessible only with username
  55. Deregister default wp-admin css on login screen only?
  56. Should I encrypt the response that triggers an Ajax action? Is nonce sufficient?
  57. SSO to WP, from a non-wp site on a different domain and server
  58. How can I login as admin after redirect to custom login page
  59. Login with serialized password
  60. is_user_logged_in() not working in Firefox
  61. Can I (and should I) change the login-URL from functions.php?
  62. Code for Log Out Button Yields Strange URL
  63. Display first name instead of username
  64. How can I make a login just like on wordpress.org?
  65. autocomplete=”off” WordPress Login
  66. Why there is a 302 status when my account and password are right?
  67. 503 Login WordPress [closed]
  68. Password recovery URL has error – but not found in code or db
  69. Cannot Get User id after login success in file wp_login.php
  70. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  71. authenticate user without redirecting
  72. Create front end member login
  73. Logging in to the frontend works correctly but not for WP-Admin
  74. Make an order of products without login
  75. Updated : how to make email optional while user registration using default wordpress form
  76. Bypass login page
  77. Using WordPress login for a non word-press website
  78. After moving WordPress to its own directory, login doesn’t work
  79. WordPress login is not showing , there is warning?
  80. WordPress Redirect After logging
  81. Issue logging in from second computer
  82. Login problem with https
  83. How to Create a login for for subscribers only
  84. WordPress auto login user after registration only from a specific page
  85. Custom Field For Login
  86. User login without username, only password
  87. Opening protected page with cookie?
  88. Login user after registration programmatically
  89. wp_lostpassword_url not escaped
  90. Directory authentication initially succeeded, but no valid profile was found (“get entries” procedure)
  91. Trim the repeated value in URL
  92. Warning: session_start(): Cannot send session cookie – headers already sent by
  93. I can’t login to wordpress dashboard without SSH
  94. Member Area Login with Fail Message
  95. How to Find WordPress site has backdoor login Codes
  96. Username character requirements
  97. Users cannot log in using popup
  98. Entire WordPress content disappears
  99. Remove login link from Reset Password-screen
  100. Display number of consecutive days a user has been active on the site
Categories login Tags encryption, login, security
Automate specific steps on WordPress install
How can I display a single post link, based on title sample and change monthly?

Recommended Hostings

Cloudways: Realize Your Website's Potential With Flexible & Affordable Hosting. 24/7/365 Support, Managed Security, Automated Backups, and 24/7 Real-time Monitoring.

FastComet: Fast SSD Hosting, Free Migration, Hack-Free Security, 24/7 Super Fast Support, 45 Day Money Back Guarantee.

Recent Added Topics

  • Bug in translation system: load_theme_textdomain() returns true, files are available and accessible but the language defaults to english
  • Custom Elementor controls not appearing in the widget Advanced tab using injection hooks
  • Get the name of the template/*html file used
  • Trying to Add Paging to Single Post Page
  • Sharing media files between live and staging servers
  • How to display the description of a custom post type in the dashboard?
  • Critical error on image display
  • Copying WP data and files into new install?
  • How to determine the DirectAdmin WordPress backup date?
  • How to get list of ALL tables in the database?
© 2026 Read For Learn
  • Database
    • Oracle
    • SQL
  • algorithm
  • asp.net
  • assembly
  • binary
  • c#
  • Git
  • hex
  • HTML
  • iOS
  • language angnostic
  • math
  • matlab
  • Tips & Trick
  • Tools
  • windows
  • C
  • C++
  • Java
  • javascript
  • Python
  • R
  • Java Script
  • jQuery
  • PHP
  • WordPress