Hi guys I use WordPress for most of my website, and I noted that the login screen is not in https in most of the wordpress sites.
How does this affect security, is my site vulnerable, and so are the other WordPress sites?
What can be done to improve my security for my wordpress website, which is this one: http://www.ryansammut.com
You can force the login and entire administration area in WordPress by defining:
define('FORCE_SSL_ADMIN', true);in your wp-config.php file.
For more information on see Administration over SSL in the Codex
In terms of your last question, I would direct you to this plugin: http://wordpress.org/extend/plugins/wp-security-scan/. It will tell you a number of vulnerabilities with your site and it does a good job telling you what you can do to address said vulnerabilities. While it will point out some vulnerabilities, it will not identify all of them. As such, this should be seen as a way to enhance security, but it offers no guarantee that this will make your site bulletproof.
Additionally, always make sure your WP version is up to date!
After logging in with a username and password the actual authentication token is your cookie. There is no point in just protecting the login and you are still in clear violation of OWASP A9. As it stands a child could use firehsheep to bypass your security.
I agree with @Rook.
To be 100% sure that it is secure you have to put all of the site (the part where you have to login atleast) as https.
Otherwise one can use the cookie and still gain access.
Having a proper SSL certificate is now mandatory for websites. Like you said your login page is not HTTPS (s for secure). There are a lot of cases where google marked website âdeceptiveâ or âunsafeâ because they did not have SSL.
Also, if some of your pages do have HTTPS but login page doesnât have it, Google views this as a website containing mixed content (mixture of safe and unsafe content) and flags it as deceptive. Now, these warnings can restrict your web traffic and can affect your siteâs reputation too. So, itâs better to move all web pages to HTTPS.
For WordPress, there are several plugins which can help you move to HTTPS. One of them is this – Really Simple SSL.
Note: DO NOT forget to make your website redirect from HTTP to HTTPS.