Secure WordPress Admin Login Without HTTPS
I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.
If you’re in the same boat as me, there are a couple things you can do without spending any money.
1. SOCKS5 SSH Proxy with Proxy Switcher Plugin
If you already have SSH enabled on your host, you’re in luck, just follow along. If not, I’d highly suggest you enable it; it usually takes a simple support ticket to your host to enable it. If for some reason you can’t enable it, skip straight to 2 below for a less secure alternative.
First, install a quick proxy switcher plugin for your browser – this will enable you to quickly switch back and forth between proxy and non-proxy without having to go deep into the settings of your browser and back.
Quick Proxy Switch Plugins
Multiproxy Switch and the user guide for configuring it.
Proxy Switchy and this one is pretty self explanatory to configure.
Once installed, configure your browser proxy switcher plugin to use a SOCKS5 proxy pointed to address 127.0.0.1 with port 1234
Multiproxy Switcher will look like this
Proxy Switchy will look like this
Setup a Mac OS X/Linux SSH Proxy
If you’re using Mac OS X or any Linux variant, you can type the following at the command line which will setup your SSH proxy
nobody@nobody:~/$ ssh -D1234 firstname.lastname@example.org
alternatively, you can run it in the background since the above command will still require the shell to be open
nobody@nobody:~/$ ssh -D1234 -f -N email@example.com
Setup a SSH Windows Proxy
Download and install Putty
Configure your session like the image below
And then set up a Dynamic tunnel under the SSH/Tunnel menu by choosing the Dynamic radio button and then inputing 1234 into the source port and clicking add. It should look like this
With your proxy enabled, simply use the quick switch buttons on your proxy switcher browser plugin to switch over to using the proxy and log in to WordPress.
All traffic from your browser will be sent to local port 1234 which will be sent over an encrypted SSH proxy to your server. From there, it’s delivered right to your server with 1 hops. You can verify that with a local ‘traceroute’ on your server
nobody@nobody [~]# traceroute thexploit.com traceroute to thexploit.com (18.104.22.168), 30 hops max, 40 byte packets 1 host182.hostmonster.com (22.214.171.124) 0.048 ms 0.017 ms 0.016 ms
If you’re skeptical that it’s working, you can visit https://www.whatismyip.com/ to see what your external IP address is. It should be the same as your server.
2. SemiSecure Login Reimagined
From the plugin site, here is the description
Is it really secure?
Short answer: No, but it’s better than nothing.
Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.
The point of this is to prevent your password from being transmitted in the “clear.”
You can download and install it here.
This entry was posted by Dustin Schultz on December 6, 2010 at 1:22 pm, and is filed under Security. Follow any responses to this post through RSS 2.0. Both comments and pings are currently closed.
Comments are closed.