UPDATE [2009-04-01]: As you are possibly aware, Semisecure Login has not functioned with a stock WordPress install since before version 2.5. Moggy has created a new plugin (called Semisecure Login Reimagined) which is available for download here. You can check out his blog post about it for more information. This page is being kept merely for historical purposes (I’m a bit of a packrat).
It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.
In setting up this new site, I encountered what I considered to be a bit of a shortcoming in the stock WordPress system – virtually no security against replay attacks in the admin system. I guess that the authors assume some sort of SSL encryption being available if you want to prevent your website from being hijacked (or else limiting admin access based on IP, which is less-than-desirable).
As I am too cheap cost-conscious to have a dedicated IP and SSL cert for my personal site, I thought of a couple options for allowing the convenience of logging on anywhere while still protecting my password.
- Create some sort of web-based tunnel. Not particularly feasible without having some SSL certificate/dedicated IP elsewhere, which just moves the problem instead of addressing it.
I opted for the second solution. I thought to myself, “Surely there exists a plugin for this already? Don’t thousands of users have blogs on non-SSL servers and need some form of protection?” Lo and behold, not more than a few weeks ago, Enrico Rossomando created a plugin that served a very similar purpose! “Well, this is perfect!” I thought to myself. I installed it as directed, and set to testing it out.
Click here to download the plugin at the official WordPress page. Installation instructions and a Changelog are there as well.
Leave ’em below!