I have discovered WordPress.com recently and have started my blog on it.
But I think there are some fundamental WordPress login security issues being overlooked by many bloggers.
Question 1. How secure is WordPress.com Blog login?
WordPress.com does not offer HTTPS login option on its homepage, http://wordpress.com/, by default. But it displays a tiny yellow padlock next to the login section which can be misleading to some people who might think it is the same yellow padlock that appears on the Address and the Status bar of your browser when you are accessing a website using HTTPS.
The following images shows WordPress.com login displaying the yellow padlock:
The following image shows live.com login using HTTPS. Note the the difference between this padlock and the one displayed on wordpress.com login page.
You can manually enter s in the address so it reads https://wordpress.com/.
But when I do that in my Firefox 2, a padlock symbol (same as the one you see on live.com login page) with a red line diagonally across it appears in the Address and the Status bar. When I hover my cursor over the padlock symbol in the Status bar, the following message appears – “Warning: Contains unauthenticated content”.
So which part of the content is unauthenticated? Are my Username and Password secure from prying eyes?
And why doesn’t WordPress.com offer ‘full’ HTTPS login?
You can also check out the following link for some more information:
Question 2. How secure is WordPress.com Forum login?
After unsuccessfully searching for answers to the questions above by Googling and in WordPress.com forum, I wanted to ask questions in the forum.
You can manually enter s in the address bar here again to log in to WordPress.com Forum (https://en.forums.wordpress.com/) but you will still get the padlock symbols with a red line across it appearing.
A strange thing is that when I log in to my blog first from http://wordpress.com/ (or https://wordpress.com/) then click on ‘Forum’ link on the top right corner of the first page that appears after logging in (with cookies enabled), I get taken to the main forum page (http://en.forums.wordpress.com/) but I don’t appear to be logged in any more. In fact, it says “Register or log in” in the log in section.
When I enter my Username and Password and click on the log in button, the page refreshes and I am still at the same page, and I find myself not able to login despite repeated attempts.
However, if I go back to my blog account page by pressing the ‘Go Back’ button on my browser, I can see I am still logged in there.
Another thing that adds to the mystery is that I have once been able to log in using HTTPS but received the following message:
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
It is frustrating not be able to ask these questions in the forum. So if anyone can offer me some explanations, I would be grateful.