Google have been pushing the HTTPS agenda for a few years now – they want all websites to run on HTTPS. If your WordPress is still running on HTTP, when you login to WordPress and access the dashboard or admin pages, all data is sent in clear text. This means that your WordPress credentials are also sent over the internet in clear text.
Therefore the risks of having your WordPress username and password stolen are very high. This post explains how malicious hackers can steal your WordPress login details using free software. It also recommends what you can do to protect your website from such attacks and how to use WordPress activity logs to spot suspicious behaviour early.
How to steal WordPress credentials (Usernames and Passwords)
Routing of Clear Text Data Over the Internet
When you access a website or your WordPress, the data is not sent directly from your computer browser to the web server. It is routed through several devices on the internet which are administered by different entities (ISPs, web hosts etc).
Depending on the geographical location of your computer and WordPress website, your login details might be routed through 5 to 20, or more devices before it reaches the destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices, which could be your own home router, they can easily retrieve your WordPress username or password.
Hacking WordPress websites by stealing login details
Malicious hackers use software such as Wireshark (sniffer) or Fiddler (proxy) to capture your WordPress login details.
For example the screenshot below is of Fiddler, which is a proxy software that the attacker might use to capture your WordPress credentials by proxying the traffic through it.
Finding the stolen WordPress credentials in the traffic capture
Once the malicious hacker has a copy of the data exchanged between your web browser and your WordPress website, all he needs to do is to identify the request sent to WordPress which includes the credentials.
In this test case we used admin as username with password Str0ngPass as can be clearly seen in the below screenshot.
The log parameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).
Malicious hackers do not need to be tech savvy to do such tasks. These free tools are easy to use and anyone with basic computer skills can easily capture and steal WordPress passwords. Hence why Google recommends to turn on WordPress SSL for your login pages.
Protecting your WordPress login details (and password)
There are several ways how to avoid having your WordPress login details stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to the WordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually.
You should also add two-factor authentication to your WordPress because even though malicious hackers can’t steal your credentials when accessing the WordPress admin pages over SSL, it is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks.
Keep a WordPress activity log to identify suspicious logins and hack attacks
As a rule of thumb, the more security layers you can implement on your WordPress website, the better it is. So since no WordPress security solution is perfect, you should also keep a WordPress activity log to be able to spot suspicious logins and other activity on your WordPress websites.
By using a plugin such as WP Security Audit Log on your WordPress website you will be able to keep a log of everything that is happening on your website, therefore will be able to take the necessary evasive action before your website is damaged in case of a potential WordPress hack attack.