Comments on: Enable Secure Admin for WordPress http://millarian.com/programming/enable-secure-admin-for-wordpress/ Musings of a startup junkie and Ruby on Rails nerd. Sun, 08 Jan 2012 22:21:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ben Atkin http://millarian.com/programming/enable-secure-admin-for-wordpress/comment-page-1/#comment-503 Ben Atkin Wed, 22 Jul 2009 06:35:26 +0000 http://millarian.com/?p=2364#comment-503 I thought about using my external OpenID account, with SSL, for login, but I realized that if I connected over plain http, my cookie could still get sidejacked, and someone could gain temporary access to my WordPress account. Still, it would be better than having my password sent in plaintext, as is the case now. Unfortunately, I could not get login through the OpenID plugin to work (it only claims support through WordPress 2.7, but still installed on WordPress 2.8) <a href="http://wordpress.org/extend/plugins/openid/" target="_blank">http://wordpress.org/extend/plugins/openid/</a> I'm going to try to get HTTPS with a self-signed certificate up and running soon, as I think it's the best option. After reading your post and thinking about security, I went into OS X network preferences and deleted all but a couple of my remembered networks, and unchecked the option to remember all networks I join. I don't want to pop open my laptop at Xtreme Bean and have someone snag my password from an ajax app before I even realize I've joined an unsecured network. I've been thinking about security a lot lately. I've been reading Cryptonomicon, and on Saturday I learned how to use OAuth for twitter authentication, and in the process spent a few hours reading about how OAuth works. It's fascinating. The article below provides a pretty good and relatively easy to digest description of the protocol. <a href="http://www.hueniverse.com/hueniverse/2007/10/beginners-guide.html" target="_blank">http://www.hueniverse.com/hueniverse/2007/10/begi...</a> I thought about using my external OpenID account, with SSL, for login, but I realized that if I connected over plain http, my cookie could still get sidejacked, and someone could gain temporary access to my WordPress account. Still, it would be better than having my password sent in plaintext, as is the case now. Unfortunately, I could not get login through the OpenID plugin to work (it only claims support through WordPress 2.7, but still installed on WordPress 2.8)

http://wordpress.org/extend/plugins/openid/

I'm going to try to get HTTPS with a self-signed certificate up and running soon, as I think it's the best option.

After reading your post and thinking about security, I went into OS X network preferences and deleted all but a couple of my remembered networks, and unchecked the option to remember all networks I join. I don't want to pop open my laptop at Xtreme Bean and have someone snag my password from an ajax app before I even realize I've joined an unsecured network.

I've been thinking about security a lot lately. I've been reading Cryptonomicon, and on Saturday I learned how to use OAuth for twitter authentication, and in the process spent a few hours reading about how OAuth works. It's fascinating. The article below provides a pretty good and relatively easy to digest description of the protocol.

http://www.hueniverse.com/hueniverse/2007/10/begi…

]]> By: Curtis Miller http://millarian.com/programming/enable-secure-admin-for-wordpress/comment-page-1/#comment-496 Curtis Miller Mon, 20 Jul 2009 01:48:46 +0000 http://millarian.com/?p=2364#comment-496 Yes, if you're using an untrusted network, it's a good idea to use secure login. For example, I have Gmail "Always use https" setting enabled and I use <a href="https://twitter.com/login" target="_blank">https://twitter.com/login</a> to login to Twitter. I haven't heard of Passpack, but it looks interesting. The language on their site talks about securely storing and retrieving your passwords, but I didn't see anything about what happens after you unpack your password client side and send it through insecure means. If they do something, then it is probably pretty similar to the secure proxy approach that Chris describes. Not sure if I can use Passpack with my iPhone either... Yes, if you're using an untrusted network, it's a good idea to use secure login. For example, I have Gmail "Always use https" setting enabled and I use https://twitter.com/login to login to Twitter.

I haven't heard of Passpack, but it looks interesting. The language on their site talks about securely storing and retrieving your passwords, but I didn't see anything about what happens after you unpack your password client side and send it through insecure means. If they do something, then it is probably pretty similar to the secure proxy approach that Chris describes. Not sure if I can use Passpack with my iPhone either…

]]> By: amanda http://millarian.com/programming/enable-secure-admin-for-wordpress/comment-page-1/#comment-495 amanda Mon, 20 Jul 2009 00:38:01 +0000 http://millarian.com/?p=2364#comment-495 if i might suggest, its easier to just use Passpack.... that way you don't need a separate solution for each and every site. I mean, ideally, you want to log into all sites securely from unsecured wifi, no? if i might suggest, its easier to just use Passpack…. that way you don't need a separate solution for each and every site. I mean, ideally, you want to log into all sites securely from unsecured wifi, no?

]]>