When you login to your WordPress website, the username and password are sent in clear text.
If your WordPress website is on HTTPS, the communication between your browser and website is encrypted. There is nothing to worry about. However, credentials are sent over the internet in clear text if your website is on HTTP.
Clear text traffic, such as your WordPress credentials, can be easily by malicious users. So the risk of having your WordPress username and password stolen are very high.
This post uses real life examples to highlight how easy it is for malicious hackers to steal WordPress passwords using free software. Then it recommends how best to protect your WordPress password and site.
How to steal WordPress credentials (Usernames and Passwords)
Routing of clear text data over the internet
When you access a website data is not sent directly from your browser to the web server. It is routed through a number of devices on the internet which are administered by different entities (ISPs, web hosts etc).
Depending on the geographical location of your computer and website, your WordPress login details are routed through 5 to 20 or more devices before they reach the destination. When data is sent in clear text, if a malicious hacker taps into one of these devices they can easily capture your WordPress password and username. One should not go far. Such device can also be your own home Wi-Fi router modem.
Hacking WordPress websites – stealing passwords & login details
To emulate a malicious hacker, you can use free software such as Wireshark (sniffer) or Fiddler (proxy). Both these applications can capture web traffic.
Capturing the WordPress password and login details
Let’s assume the attackers hacked your home modem and redirected all your web traffic through a Fiddler proxy server. When you login to your WordPress site the attacker can see the traffic (data) exchanged between your browser and website, as seen in the below screenshot.
Finding the stolen WordPress password & username in the sniffed traffic
Now that the malicious hacker has the captured data he just needs to find in which HTTP request the WordPress username and password are. Note that such data is stored on Fiddler, so you do not need to be logged in for the attacker to extract such information.
For this test we used the following credentials: username admin and password Str0ngPass. The below screenshot show the clear text username and password captured by the proxy the attacker set.
The log parameter contains the username and the pwd parameter contains the password (Str0ngPass).
How easy it is to capture WordPress login details?
If your website is running on HTTP it is very easy for an attacker to capture your WordPress password and username. As this article highlights, one does not have to be tech savvy. Most tools are available for free and very easy to use.
Protecting your WordPress login details (and website)
To avoid these type of attacks setup HTTPS on your WordPress website. However, do not stop there. There are a few other things that you should do: