With non-SSL (HTTP) login page is the password sent in plain text ?

  • Resolved edcroteau

    (@edcroteau)


    8 years, 11 months ago

    I can’t seem to find a clear answer to this.

    With a site that has no SSL one needs to login to https://www.domain.com/wp-admin and my question is whether the username and password are sent to the server in plain text ?

    Basically, is it dangerous to not have an SSL for WordPress admin use ?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    if the login page is NOT ssl-enabled, then the ID/psw are sent in the clear.

    That said

    (1) if you’re going to bother to set up SSL at all, make the entire site SSL. It’s easier than flipping in/out of SSL mode for admin stuff

    (2) With letsencrypt, now many hosts are offering free SSL certs. Check with yours.

    (3) Changing from https://yoursite.com to https://yoursite.com is a change of URL, so you’ll need to follow the same steps you’d use to change the site’s domain. I recommend using the plugin “better search and replace” to search for https://yoursite.com and replace it with https://yoursite.com when you go to all-SSL all the time.

    If SSL is not an option for you, look into two factor authentication plugins like Google Authenticator or Clef.

    Thread Starter edcroteau

    (@edcroteau)

    Thanks so much for the reply and clarification.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘With non-SSL (HTTP) login page is the password sent in plain text ?’ is closed to new replies.