If you have a blog that runs with WordPress and hosted on Worrdpress.com, you should be very careful when entering your management panel on your website. What do we mean? When connecting to Worrdpress, do not use public Wi-Fi, because you can deliver your information to a malicious user. Your account can be hacked, even if you have enabled two-factor authentication.
Yan Zhu, a security researcher at the Electronic Frontier Foundation (EFF), observed that blogs hosted on WordPress.com send cookies user ID in plain text and not encrypted. Thus, even a Script Kiddie can steal login information.
When WordPress users log into their account, the servers of WordPress.com distributes a cookie named “wordpress_logged_in” to the user's browser, as reported by Yan Zhu on her blog. The researcher has noticed that this authentication cookie is being sent through HTTP in a very insecure way.
[tweet_embed id = 471186304667881472]
A malicious user can easily grab HTTP cookies if they are using the same Wi-Fi network, using some specialized tools, such as Firesheep, a network sniffing tool. The cookie can be added to any other web browser and will give the hacker illegal access in the victim's WordPress account.
The good news is that if you have a WordPress website hosted on server that supports HTTPS, then your blog is not vulnerable to the cookie reuse flaw.