Secure WordPress Admin Login Without HTTPS

I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.

If you’re in the same boat as me, there are a couple things you can do without spending any money.

1. SOCKS5 SSH Proxy with Proxy Switcher Plugin

If you already have SSH enabled on your host, you’re in luck, just follow along. If not, I’d highly suggest you enable it; it usually takes a simple support ticket to your host to enable it. If for some reason you can’t enable it, skip straight to 2 below for a less secure alternative.

First, install a quick proxy switcher plugin for your browser – this will enable you to quickly switch back and forth between proxy and non-proxy without having to go deep into the settings of your browser and back.

Quick Proxy Switch Plugins

Firefox
Multiproxy Switch and the user guide for configuring it.

Chrome
Proxy Switchy and this one is pretty self explanatory to configure.

Once installed, configure your browser proxy switcher plugin to use a SOCKS5 proxy pointed to address 127.0.0.1 with port 1234

Multiproxy Switcher will look like this

Proxy Switchy will look like this

Setup a Mac OS X/Linux SSH Proxy

If you’re using Mac OS X or any Linux variant, you can type the following at the command line which will setup your SSH proxy

nobody@nobody:~/$ ssh -D1234 username@yourdomain.com

alternatively, you can run it in the background since the above command will still require the shell to be open

nobody@nobody:~/$ ssh -D1234 -f -N username@yourdomain.com

Setup a SSH Windows Proxy

Download and install Putty

Configure your session like the image below

And then set up a Dynamic tunnel under the SSH/Tunnel menu by choosing the Dynamic radio button and then inputing 1234 into the source port and clicking add. It should look like this

With your proxy enabled, simply use the quick switch buttons on your proxy switcher browser plugin to switch over to using the proxy and log in to WordPress.

All traffic from your browser will be sent to local port 1234 which will be sent over an encrypted SSH proxy to your server. From there, it’s delivered right to your server with 1 hops. You can verify that with a local ‘traceroute’ on your server

nobody@nobody [~]# traceroute thexploit.com
traceroute to thexploit.com (74.220.207.182), 30 hops max, 40 byte packets
 1  host182.hostmonster.com (74.220.207.182)  0.048 ms  0.017 ms  0.016 ms

If you’re skeptical that it’s working, you can visit https://www.whatismyip.com/ to see what your external IP address is. It should be the same as your server.

2. SemiSecure Login Reimagined

From the plugin site, here is the description

Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Is it really secure?

Short answer: No, but it’s better than nothing.

Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.

The point of this is to prevent your password from being transmitted in the “clear.”

You can download and install it here.