If you have a blog that runs with WordPress and is hosted on Wordpress.com, you should be very careful when logging in to your website's management panel. What do we mean? When connecting to Wordpress, do not use public Wi-Fi, because you may give them away data you to some malicious user. Your account can be hacked, even if you have enabled two-factor authentication.
Η Yan Zhu, μια ερευνήτρια ασφαλείας από το Electronic Frontier Foundation (EFF) παρατήρησε ότι τα ιστολόγια που φιλοξενούνται στο WοrdPress.com αποστείλουν τα cookies ταυτότητας του χρήστη σε μορφή απλού κειμένου και όχι κρυπτογραφημένα. Έτσι, ακόμα και ένα Script Kiddie can intercept login information.
When WordPress users log in to their account, WordPress.com servers distribute a cookie called "wordpress_logged_in" to the user's browser on her blog. The researcher has noticed that this authentication cookie is being sent through HTTP in a very insecure way.
[tweet_embed id = 471186304667881472]
Some malicious user can easily grab the HTTP cookies if they use the same network Wi-Fi, using some specialized tools, such as Firesheep, a network sniffing tool. The cookie can be added to any other web browser and will give the hacker illegal access to the victim's WordPress account.
The good news is that if you have a Worrdpress website hosted on a server that supports HTTPS, then your blog is not vulnerable to the re-use of cookies.