A few days ago I commented on social networks, after seeing a friend log into his blog under open WiFi without any concern. Why should you worry? Well when we log in to WordPress the password travels in clear text on the net and anyone who is sniffing it could catch it.
In the following image you can see an example with Wireshark, an excellent application to capture and analyze packets. By logging into my blog and analyzing what travels online, I can see the password without further complications:
The same will happen with any site or form that is not encrypting the information before sending it to the server, that is, that you are not using the famous HTTPS or padlock during the login.
That is why it is always recommended to check https before entering sensitive information on a website such as users, passwords, credit cards, etc. If the https is available, the information that travels over the network cannot be seen in clear text.
Let's see another example, in this case with the site statcounter.com:
The password travels in clear text, however the service supports login and the use of a secure session when accessing https: //statcounter.comIn this way, neither the user nor the password entered will be visible.
Now, configuring an SSL certificate on the server for the WordPress login -and the entire session- may not be the most practical for most bloggers, but there are easier alternatives to apply such as installing plugins that encrypt the password during login… One of them is Chap Secure Login which uses the CHAP protocol.
In the following screenshot you can see that when using it password no longer travels in clear text:
Another alternative is to use a VPN so that all the traffic of our team comes out in encrypted form in such a way that it cannot be interpreted by an attacker, I particularly like the service offered by AlwaysVPN for being very easy to use on Windows, Linux and Mac (although it is paid), but there are also free options.
In the following image you can see the packets captured from a VPN connection, in this case neither the password nor the sites through which you browse are visible to the naked eye:
Finally, another good option if you have a mobile with 3G is to share that connection with the notebook to access the blog and other services that require the sending of sensitive data. It is worth mentioning that if the mobile connection is shared in wifi mode It is important encrypt the access point so others can't connect.
I hope the information is useful and be careful when connecting in open wifis, you never know who may be listening 🙂
See also: Secure WordPress: Hides information that may be useful to an attacker. Mdk3 by creating fake APs and disconnecting everyone from WiFi.