WordPress is one of the world’s most popular content management systems. It’s used by large and small websites around the world.
On most days, WordPress is a safe and secure platform. Unfortunately, a recent security flaw has put that security in jeopardy.
That security flaw exposes your WordPress login data to network sniffing tools. Those tools let anyone easily hack your WordPress account simply by spying on your username and password.
The flaw is related to cookies and was first exposed by Yan Zhu, a member of the Electronic Frontier Foundation. The specific cookie is called “wordpress_logged_in” and tells the browser whether or not a user has already logged in.
Almost all websites have a similar login cookie. It’s the same reason why you don’t have to type your login information every time you visit Facebook or Twitter. Unfortunately, WordPress sends this cookie in plain text.
That means anyone can view the login cookie, steal it, and enter that data on their own device to access your WordPress account.
Once someone has logged into your WordPress account, they can freely add posts, delete posts, break your website, upload new themes, and basically control every aspect of your site.
What’s worse is that the cookies last for a ridiculously long time: three years. A cookie would likely become unusable before that time period, but it’s unknown whether or not a hijacked user could continue accessing the account using the cookie.
Another problem is that the hacker can setup two factor authentication and effectively lock the real user out of the account. The real user would try to login and be prompted to enter a text message sent to “their phone”, which was in reality sent to the hacker’s phone.
Fortunately, WordPress is aware of this issue and WordPress developer Andrew Nacin told Yan Zhu that the issue would be fixed in the next WordPress release. It’s unknown when that release will arrive.
In the meantime, you should avoid using WordPress on public wireless networks – like coffee shops.