We can agree that publicizing your wp-admin login credentials for all to see is a bad idea, right? Dumb question? Well, if you’re not logging into your WordPress Dashboard via HTTPS (or option #2, below), that’s exactly what you’re doing. Hackers can spoof your login form, “listen” to the site activity, or your coffee house neighbor could be using Firesheep on you. In case you didn’t know, bad people suck.
If someone snags your login credentials, they could wreak havoc that can make you cry. It’s scarier than just losing all your files. They might change your site content from family-friendly to R-rated, get your Dropbox or Amazon S3 credentials, install some nasty stuff, or change your account password and profile email to lock you out (your password reset link would email them, not you).
Just thinking about all that bad stuff happening to my blog gives me the creeps. Here are 2 options for securely logging into your WordPress Dashboard, creep-free:
#1 – Set up WordPress SSL / HTTPS
What’s Needed? An SSL certificate, annual cost ranging from $10 to $50+
Level of Difficulty: Easy to Moderate, depending on your hosting setup and tech support, if needed
Time Requirement: Up to an hour, possibly over the course of a day or two, depending on your hosting setup
- Buy a domain name and an SSL certificate
- Make sure you have a working email address at your domain (e.g. webmaster@), or make sure your WHOIS records display your desired SSL certificate email address (e.g. a GMail address).
- Install WordPress at your desired location. Options include: at the domain root (e.g. example.com), a subdomain (e.g. site.example.com), or a subdirectory (e.g. example.com/website/)
- From your web host control panel (or via a support ticket to your tech support), generate a Certificate Signing Request (CSR) with your company or personal information (e.g. organization name, location, and email address). This cannot be fake information and will not be kept private from your website visitors.
- If you install WordPress at the domain’s root folder or a subdirectory, issue the SSL certificate to your domain (e.g. www.example.com, even if you’re not serving the page with www).
- If you install at a subdomain, you’ll have to issue the SSL certificate to the subdomain, not the root domain.
- Once you generate your CSR, install it on your server (or have your tech support do it).
- Once enabled, test it by visiting a page on your WordPress installation via HTTPS instead of HTTP. You may also want to test your SSL certificate is installed properly by running the Qualys SSL Server Test.
- Familiarize yourself with the WordPress Codex “Administration Over SSL” page. It’s not explicitly stated in the Codex, but FORCE_SSL_ADMIN is inclusive of FORCE_SSL_LOGIN so you don’t need both set to ‘true’, just one or the other.
- Clear your browser cookies, browser cache, and website cache.
- Visit your login page and make sure the page is forced to HTTPS in the browser bar if you set FORCE_SSL_ADMIN to ‘true’. Or view the page’s source and search for “wp-login.php” and see if it’s served via HTTPS even if the browser bar shows HTTP.
- Pat yourself on the back for successfully setting up SSL for WordPress.
#2 – Use the free “WP Engine MixBoardPortalPanelPress”
What’s Needed? A Facebook or Twitter account (one or the other)
Level of Difficulty: Easy
Time Requirement: 5-10 minutes
- Visit https://portal.wpengine.com/
- Sign in with your Facebook or Twitter account, whichever is more convenient for you.
- Install and Activate the Agent WP Engine plugin on your WordPress
- Copy your portal.wpengine.com Account ID and API Token credentials into the plugin’s settings page (located at wp-admin/index.php?page=wpe-agent ).
- Refresh the portal.wpengine.com page to see your blog show up, with a link to securely login to your WordPress Dashboard (whether or not your site has an SSL certificate)
- Give your buddy a virtual high-five on Facebook or Twitter, since you’re already logged in.
Comparing the Pros and Cons
WP Engine’s MixBoardPortalPanelPress (hey, I didn’t name it) is quick and easy to setup and has some additional site tools like a malware report, site performance report, and quick access to WHOIS records. However, it doesn’t provide your site with an actual SSL certificate, which is definitely needed if you want to receive or display sensitive information on your site.
An SSL certificate with proper wp-config.php settings ensures all logins will be HTTPS, not just when clicking from portal.wpengine.com. However, you’ll need separate SSL certificates for each domain and subdomain (unless you buy a wildcard SSL Certificate, which is more expensive).
Break Your Bad Habit in 30 Days
Say it with me,
“I will not log into my WordPress website insecurely for the next 30 days. I promise.”
Image Credits: Padlock image from Flickr and screen shot from portal.wpengine.com