Semisecure Login

The Semisecure Login plugin for WordPress increases the security of the login process by using client-side MD5 encryption on the password when a user logs in. JavaScript is required to enable encryption. When JavaScript is not available, the password is transmitted in plaintext (as normal), but authentication still completes in this case.

It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Background

In setting up this new site, I encountered what I considered to be a bit of a shortcoming in the stock Wordpress system - virtually no security against replay attacks in the admin system. I guess that the authors assume some sort of SSL encryption being available if you want to prevent your website from being hijacked (or else limiting admin access based on IP, which is less-than-desirable).

As I am too cheap cost-conscious to have a dedicated IP and SSL cert for my personal site, I thought of a couple options for allowing the convenience of logging on anywhere while still protecting my password.

  1. Create some sort of web-based tunnel. Not particularly feasible without having some SSL certificate/dedicated IP elsewhere, which just moves the problem instead of addressing it.
  2. Use JavaScript to one-way encrypt the password on-the-fly. This requires JavaScript to ensure proper security, but hey, it’s hard to have your cake and eat it too.

I opted for the second solution. I thought to myself, “Surely there exists a plugin for this already? Don’t thousands of users have blogs on non-SSL servers and need some form of protection?” Lo and behold, not more than a few weeks ago, Enrico Rossomando created a plugin that served a very similar purpose! “Well, this is perfect!” I thought to myself. I installed it as directed, and set to testing it out.

Unfortunately, it wasn’t perfect in my mind. In the event JavaScript was disabled, it failed miserably, with no indicators that JavaScript was required (this goes against the high emphasis I place on gracefully degrading code). I took a look at the code, and was a bit surprised at the methods it was using to perform the authentication. Also, the password field was being modified as it was sent, which caused extra characters appearing before the form was redirected. I decided I could meet my needs better with my own code, and thus it was that I plunged into the world of WordPress plugin creation.

Download

Click here to download the plugin at the official WordPress page. Installation instructions and a Changelog are there as well.

Questions/Comments?

Leave ‘em below!

Tags: , , , , , , ,

September 16th, 2007
Filed under Blog, WordPress Plugins.

17 Responses to “Semisecure Login”

  1. arquimede Says:
    October 5th, 2007 at 12:06 pm

    Hi James :)

    I get two errors:

    Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /……/wp-login.php:30) in /…/wp-content/plugins/semisecure-login/semisecure-login.php on line 43

    and

    Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /…/wp-login.php:30) in /…/wp-content/plugins/semisecure-login/semisecure-login.php on line 43

    the plugin seems to work

    I use wp 2.2.1 in italian.

    Do you know a way to fix it?

  2. jma Says:
    October 5th, 2007 at 1:00 pm

    @arquimede: I’ve updated a change that suppresses that warning. Out of curiosity, what version of PHP are you running, and what other plugins are you using? I assume that I don’t get this error because I have output buffering enabled somewhere - perhaps this is a setting in my php.ini that I didn’t realize was set.

  3. arquimede Says:
    October 6th, 2007 at 2:08 am

    php 4.4.2, I have downloaded the last update of Semisecure login (1.03) right now, and it does display no more warnings

    I have tested it with wp 2.3 and wp MU 1.2.5 (should be PHP 5.2.3 for both of them) and it does not display any error message

    Thanx a lot for the fixing :)

  4. Musikele Says:
    October 14th, 2007 at 5:47 pm

    Hi James..
    I’m a sort of Enrico’s friend. I used to be the tester of the plugin on my site, and then when I encountered problems i told them to Enrico.
    Personally, I find your suggestions very useful, expecially when you talk about user-friendly code: to be honest, when he first developed the plugin, he only wanted to write a plugin that worked. No matter about users and all the rest.

    Surely, when I see your solution (When I registered on wordpress I noticed the changes) I appreciate the kind of communication you use.

    Only one question: have you also changed the core code - the part that really transformes the password?

    Thanks in advance! Michele

  5. Musikele Says:
    October 14th, 2007 at 5:53 pm

    well, maybe you have written a completely new plugin / not based on enrico’s idea? can’t understand… tomorrow I’ll try it.

    Michele

  6. jma Says:
    October 14th, 2007 at 6:00 pm

    @Musikele: The part that “changes” the password has changed in a few ways. First of all, the “salt” that is added to the password before it is encrypted is pulled from a larger pool of “potential salts.” Also, I force the salt to be changed after each potential use, preventing the same “encoded” password to be used twice in a row. Enrico’s version only changed the salt when a user logged out. Also, I use different hooks to accomplish similar purposes, which I feel are more in line with “standard WordPress practices.” I still use the exact same md5 JavaScript functions that were used in Enrico’s plugin (copyright Paul Johnston), but I pretty much rewrote the entire core, “inspired” in a way by Enrico’s work.

    I hope that answers your question - if you had any other specific questions or concerns, please let me know!

  7. eb001 Says:
    January 12th, 2008 at 6:07 pm

    Hi, I recently downloaded version 1.0.3 and installed it to Wordpress 2.3.1.
    It works ok but there is one problem…I have to log in twice. Everytime I access the admin page it always gives me a wrong password the first time and then it works the second time, can you see any reason for this? Thanks.

  8. jma Says:
    January 17th, 2008 at 1:48 pm

    @eb001: I’m using version 1.0.3 on WordPress 2.3.2, and I don’t see the behavior that you’re describing. Do you have any other login/session management plugins? What URL are you using to access the login page? What browser are you using (it may be JavaScript-related)?

  9. eb001 Says:
    January 18th, 2008 at 10:36 pm

    I am also using the wp-password plugin, do you think there is a conflict?
    It happens with every browser I’ve tried (IE7, Firefox, Opera).

  10. Viper007Bond Says:
    March 16th, 2008 at 2:38 am

    I too have to login twice when I first view my login form (no session maybe?) and the “remember me” also doesn’t work. I’m using Firefox 2.0.0.12.

    The double login even happens here on this blog.

    The no remember me is due to the plugin’s usage of wp_setcookie() without the remember me tag in place I think.

  11. Viper007Bond Says:
    March 29th, 2008 at 1:56 am

    Do you plan on updating this plugin for 2.5 or should I branch?

  12. fini Says:
    April 16th, 2008 at 4:37 pm

    Having a strange problem where, when using Firefox 3 beta 5, when I try to login to my blog it tells me the password is incorrect. It doesn’t show any error message, except for saying ‘incorrect password’. I can still log in via internet explorer, but just not with firefox. I’m using wordpress 2.5 on my blog. It doesn’t happen when I login here to post a comment (looks like you’re running 2.3.1) so seems to be a problem with firefox and 2.5…

  13. louis_nichols Says:
    April 20th, 2008 at 1:08 pm

    Hi!

    I am having the exact same problem as the previous poster. I cannot log in using Firefox 2.0.0.14. Luckily, IE indeed works, so I was able to use it to deactivate the plugin.

  14. sibest Says:
    April 23rd, 2008 at 12:55 pm

    I have the same problem running Safari 3.1.1 and wordpress 2.5

  15. vbarbero Says:
    April 24th, 2008 at 10:49 am

    I also have to login twice, as Viper007Bond and eb001 do. I use Wordpress 2.3.3 and Firefox. Any ideas to solve this? Thanks for such a useful plugin.

  16. Adam Lee Says:
    April 27th, 2008 at 3:10 pm

    If anyone’s interested, I’ve fixed this plugin for WordPress 2.5.

    2.5 introduced a new hashing scheme and deprecated the hook this plugin was relying on. There’s a new hook (check_password) that can be used for the same purpose. Hashing was trickier, but rather than try to recreate phpass() in Javascript, I used the MD5 Password Hashes plugin for 2.5 to revert to the legacy behavior. My fix is dependent on that plugin. In any case, I think transmitting a password in plain text across a network is a far more serious security risk, so I’m happy to trade down to MD5 in exchange for fixing that.

    My fix restores the plugin’s functionality for 2.5, including the very nice behavior of graceful degradation in the absence of client-side Javascript. Anyone interested?

  17. Victor-Y Says:
    May 1st, 2008 at 11:15 am

    Adam Lee: Of course we are (at least I am) interested!

Leave a Reply

You must be logged in to post a comment.