Password-protected pages and posts are not very protected!!
I´ve been looking through “Support” and “Forum” and this seems to be an issue that concerns many bloggers.
I came to realize that when i write password-protected pages or posts, the browser of the person opening the protected page automatically saves the password, even when the person logs-out of WP. So no matter which other WP user opens my blog from that browser, is automatically granted of an access I didnt give him.
It obviously just doesn´t make any sense. It is about time WP finds a solution. I would understand, and I would find it useful, if the USER didn´t need to type in the password after the first time. So the password would be saved not from the user´s browser, but from the user´s account. THAT would make sense.
So when WP writes:
“WordPress will prompt you for the password on your initial visit to a protected post. After entering the password that first time, WordPress will securely store the password with the browser you entered it with so you won’t have to enter it again.”
he also knows it´s a lot of BS. WP should also write: “but pay attention that the password will remain available for ALL the users entering your protected pages from that same browser”…
So please dear WP,
finde a solution for this non-sense.
The password is not saved on the person’s computer. There is a cookie that is set and that is read by wordpress and they see that this person had entered the password, so it shows them the post.
I agree that this needs to be looked at and possibly a time limit put on the access or something.
Thank you for your quick answer.
I see what you mean, but the problem is that WP doesn´t actually see that this “person” has entered the password, but rather that the “browser” has done it… The problem is, obviously, that different users can enter the blog through the same browser.
I think rather than a time limit it should be a “user” limit, if you know what i mean… Every time you sign out of your WP account, the password is canceled and next time you will need to type it in again. In a perfect world, WP would recognize that that user already knows the password and simply don´t ask for it again, but hey, maybe I ask too much ;)
No, what wordpress sees is that the whoever entered the password correctly once from the information it gets from the cookie. There is no way to tell if an actual person typed in the password, or if it was a script, or even a chimpanzee. WordPress cannot “look” has no camera to see how the password was entered, just as they have no way of telling that YOU are the one that typed in the username and password to get into your account here.
Each computer is a single entity as far as the web goes because the only identifying things that wordpress has to go off of is the IP address and possibly the MAC address for the computer. The IP address might not ever change if the computer is on a network.
This is far more complex to accomplish than you realize.
One more thing: Password protecting pages and posts is NEVER going to be a high level of security because all it takes is someone posting the password on twitter or facebook or Google + and your protection is dead.
If you want more control, set up a second blog and put the private stuff on that, set that site to private and then have people sign up for a wordpress.com username and password and invite them to that blog. That still isn’t totally secure though if they happen to do the “remember me” when they signed in. Anyone getting on that same computer would then still be able to get into that site since the person has saved the username and password to their computer/browser.
Bottom line: Security on the internet is a pipe dream. You do the best you can to protect your login information and keep people off of your computer and log out of your computer if you leave it for any length of time.
Yeah, I hear you.
I just wanted to point out the problem due to his nonsense. Then there is just one last thing I would appreciate from WP: warn the bloggers about this little inconvenient. That can´t be so complex, right?
I think they could make things better, but I’m not sure what the final result would be. Perhaps they will see this thread and take it under advisement and come up with something. Or, perhaps they won’t. No one ever knows what they are going to do.
And you are welcome.
The topic ‘Password-protected pages and posts are not very protected!!’ is closed to new replies.