I have discovered WordPress.com recently and have started my blog on it.
But I think there are some fundamental WordPress login security issues being overlooked by many bloggers.
Question 1. How secure is WordPress.com Blog login?
WordPress.com does not offer HTTPS login option on its homepage, http://wordpress.com/, by default. But it displays a tiny yellow padlock next to the login section which can be misleading to some people who might think it is the same yellow padlock that appears on the Address and the Status bar of your browser when you are accessing a website using HTTPS.
The following images shows WordPress.com login displaying the yellow padlock:
The following image shows live.com login using HTTPS. Note the the difference between this padlock and the one displayed on wordpress.com login page.
You can manually enter s in the address so it reads https://wordpress.com/.
But when I do that in my Firefox 2, a padlock symbol (same as the one you see on live.com login page) with a red line diagonally across it appears in the Address and the Status bar. When I hover my cursor over the padlock symbol in the Status bar, the following message appears – “Warning: Contains unauthenticated content”.
So which part of the content is unauthenticated? Are my Username and Password secure from prying eyes?
And why doesn’t WordPress.com offer ‘full’ HTTPS login?
You can also check out the following link for some more information:
http://cuasan.wordpress.com/2007/10/05/insecurepresscom/
Question 2. How secure is WordPress.com Forum login?
After unsuccessfully searching for answers to the questions above by Googling and in WordPress.com forum, I wanted to ask questions in the forum.
You can manually enter s in the address bar here again to log in to WordPress.com Forum (https://en.forums.wordpress.com/) but you will still get the padlock symbols with a red line across it appearing.
A strange thing is that when I log in to my blog first from http://wordpress.com/ (or https://wordpress.com/) then click on ‘Forum’ link on the top right corner of the first page that appears after logging in (with cookies enabled), I get taken to the main forum page (http://en.forums.wordpress.com/) but I don’t appear to be logged in any more. In fact, it says “Register or log in” in the log in section.
When I enter my Username and Password and click on the log in button, the page refreshes and I am still at the same page, and I find myself not able to login despite repeated attempts.
However, if I go back to my blog account page by pressing the ‘Go Back’ button on my browser, I can see I am still logged in there.
Another thing that adds to the mystery is that I have once been able to log in using HTTPS but received the following message:
——————————————————————————
Security Warning
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
Continue Cancel
——————————————————————————
It is frustrating not be able to ask these questions in the forum. So if anyone can offer me some explanations, I would be grateful.
RoundPicture 
To get https on your own wordpress site you need to buy a SSL certificate. Once you buy a SSL certificate, you can access your site by going to https://www.test.com. You could also go to your login page by going to https://www.test.com/wp-admin. Now this is all secure. Once you purchased your ssl cert for website, you can also get a plugin (search google) to force ssl for all login pages.
It’s not that wordpress doesn’t support https, but you need to do it for the whole website or domain name. Let me know if that works
-securepla.net
Thank you for your info. I appreciate people teaching me new things everyday.
I am just starting out with this blog so I am not quite ready to splash out on a SSL certificate yet, but it is definately something I will consider at a later stage.
For anyone else who might be interested, I have found that:
With Firefox 3, I have SSL connection to My Dashboard, but so far only when I click on a link in an email sent from WordPress.com, then manually changing http:// to https://.
If you log in by typing https://wordpress.com/wp-login.php in the address bar, the SSL connection will break after you log in, but you can get back to https:// by typing in the ‘s’.
You might pick up a free Certificate from CACert.org
It free, and can be quite handy. For instance, you can use a client-side certificate to log into web-sites without passwords etc.
Worth a look perhaps.
PS Thanks for the link-back
WordPress.com has ‘Always use HTTPS when visiting administration pages’ option for secure login connection.
Once you’re logged into your WordPress.com account:
My Account (top left hand corner of your screen) > Edit Profile > Personal Options > Browser Connection > Select ‘Always use HTTPS when visiting administration pages’ > Click on ‘Update Profile’ button at the bottom.
My post on it is found here.
You hit the nail on the head with a great write-up with a handful of excellent info
Great
Forget to say that wordpress is very usefull