Sites authentication involving encryption process to scramble login information that pass through Internet. This is a standard procedure and supported by almost all publishing platform including WordPress. Unfortunately, for everything else, encryption is not a default feature.
When a user login for the first time with username and password, the web server will check the information to decide if the account is valid. If it is valid, then the web server will reply dan put cookies on browser to track user login session. Even thought the login information are encrypted, but the cookies are not.
This is the hole exploited by FireSheep. FireSheep is a FireFox add-on to sniff wifi network for cookies. It’s easy now to find open wifi network such as in shopping center, restaurant, coffee shop, etc. FireSheep user just need to sit and activate the FireSheep add-on. If there’s an unsecure website, then FireSheep will display names and picture from the accounts captured. By clicking those name/picture, FireSheep can login to those accounts.
Below are few tips to protect WordPress users from FireSheep:
- Do not use public wifi
- Use add-ons to force FireFox to use secure channel
From the WordPress itself, the administrator can force WordPress to use secure access via SLL by adding configuration commands in the wp-config.php file:
# Securing login session
# Securing administration panel
Those two configuration commands are a very good option for securing WordPress sites. To activate it, you should make sure your hosting provider supports it. Consult with your hosting provider about SSL feature.