Semisecure Login Reimagined v3
Semisecure Login Reimagined v3 is now available. This release includes a number of changes from previous versions.
For starters, past versions relied on RSA public-key encryption alone. Version 3 now uses a combination of public and secret-key encryption. This means that there is no longer a limit on the length of passwords that can be encrypted. The limit in earlier versions was large enough that I doubt it affected anyone, however.
Initially, two secret-key algorithms are provided: RC4 (a stream cipher) and AES (a block cipher). On the JavaScript side I chose to go with the crypto-js library. Unfortunately, there wasn’t a complimentary PHP library so I ended up converting the majority of crypto-js to PHP.
Past versions of this plugin didn’t behave themselves very well when stepping outside of the ASCII character bounds. (Western ISO-8859-1 might be more technically correct.) Version 3 now has support for UTF-8 passwords. Only UTF-8 is supported. If your blog is using another character encoding then your mileage may vary.
The settings page was starting to get long and unwieldy. This has been corrected by splitting each section into sub-pages.
If you’re having trouble generating an RSA keypair then you can now (optionally) display some debugging information to get you pointed in the right direction.
The main reason that the version has been bumped up to version 3 (rather than… say… 2.5) is because the integration API has changed. This change was necessary because of the secret-key addition. Hopefully now, the integration has also been simplified a bit.
Finally, support for older versions of WordPress has been dropped. Semisecure Login Reimagined v3 requires WP 2.7 (or higher) and PHP 4.3 (or higher). Seriously, if you’re running an older version of WordPress you’re just asking to be hacked! OpenSSL is still required, but no other PHP extensions are required (including mcrypt, etc).
Download
The download location hasn’t changed :) You can still download Semisecure Login Reimagined at its official WordPress page.
wingman (Sep 20, 2009)
version 3.0.6.2 works with nonce disabled
VVOR (Oct 04, 2009)
Awesome plugin! Tnx! VVOR http://www.vvor4.nl
Pingback (Nov 02, 2009)
Petits plus
Pingback (Nov 06, 2009)
Top 1000 WordPress Plugin Authors « Metode de promovare
Pingback (Nov 15, 2009)
Secure WordPress login without HTTPS | Blinkenlichten Blog
Viper007Bond (Dec 05, 2009)
Thanks for the great plugin! I’d love an option that somehow made
it impossible to log in without using this. Perhaps removing the
login fields and adding them back using Javascript or something.
That way a password will never be sent in the clear ever.
moggy (Dec 17, 2009)
@Viper — I’ll consider it for a future version. I always liked the way that the original plugin let you disable JavaScript to log in without encryption (something that I kept for this reimagined version). IMO, that was one of the selling points for using it over Chap Secure Login.
Micah (Dec 23, 2009)
Hey moggy, after installing WordPress 2.9 and this plugin, I had
trouble logging back in when I later tried to log back in. The
resolution was to delete this plugin from the plugins folder. The
only other active plugins I had were WP Total Cache and Akismet.
Just a FYI in case you hear anything else.
moggy (Dec 24, 2009)
@Micah — Thanks for the report. If you disable JavaScript in your browser you should be able to log in (without encryption). I’ve never used that specific caching plugin, but you might need to set nonces to use the async option. You could also try disabling nonces.
Micah (Dec 24, 2009)
I actually did set the nonces option to async and that didn’t work.
I tried to disable nonce and that seemed to actually work on
initial testing. The error I was getting after trying to log in was
a red block above the log in fields saying, “The password field is
empty.” over and over. Of course this was false since I had a
password in there every time.
Chantak (Jan 10, 2010)
Can you add the Poly1305-AES encryption in your plugin? The link
is: http://cr.yp.to/mac.html
Micah (Mar 01, 2010)
Does this plugin not work with Windows servers? It’s referencing
OpenSSL but I’m guessing that this is only installed on Unix-based
servers. When I tried to activate this on a Windows server with
Wordpress, it would not properly activate since it couldn’t use
OpenSSL.
moggy (Mar 03, 2010)
Do you have a phpinfo page? Does it list openssl? If not, it’s possible to install openssl on windows.
Sanaa (Mar 14, 2010)
I recently installed the Theme My Login plugin and on the login
page it says, semisecured is not enabled. In the back end, it is
and I’m just wondering what I need to do to have it working. I’m
new at all of this but one of my other blogs was hacked, so I have
a TON of security on all 4 of my sites now. And, I’d like to use
your plugin so that the login page doesn’t say wordpress in hopes
that hackers won’t be able to tell what the sites are powered by.
(I am working on removing wordpress from the meta tags)…help?
moggy (Mar 16, 2010)
It looks like that plugin implements the login_form hook which is why you see the “not enabled” message. It doesn’t seem to implement the login_head hook, however, which is where my plugin loads in the required JavaScript. This would need to be fixed on the Theme My Login side. Either that, or you’d need some custom integration.
Pingback (May 14, 2010)
wordpress security (in many small steps) | supernaut
Pingback (May 14, 2010)
wordpress security (in many small steps) | things with bits - frances d'ath
Lee C (May 20, 2010)
Just installed this plugin and immediately received a 404 error affecting my entire site (both front and back end areas). It’s completely inaccessible!
I renamed the plugin and it made no difference, I deleted the plugin and it also made no difference, I checked the database for entries referring to the plugin and there are none… Basically this plugin has made my site completely inaccessible…and I was supposed to launch it tomorrow night!!
Is there a way to rectify this or will I have to start over again??
Thanks in advance,
Lee C
P.S.
Just to clarify, I simply installed this plugin (Version: 3.0.8.4) via the built-in WP installation module and instantly received the site-wide 404 error. This error only applies to this site (linked to in ^my details^ and all other sites under my domain are functionaing as normal, therefore it is cleraly directly linked to this plugin. The plugin has been deleted and no longer resides in my plugins folder, and there are no database entries that I can see. This is all the info I’m able to provide on this issue…
moggy (May 20, 2010)
Sorry to hear about your troubles. Did you figure out the issue? I’m not seeing a 404 when I visit your site.
Since you renamed/deleted this plugin and still saw the error, my initial guess is that something else was causing the issue. Did you get around to activating the plugin, or just install it via the built-in installer?
Lee C (May 21, 2010)
Apologies for the delay in responding, I’m only online a couple hours a night so only just got back to this site.
The issue seems to have resolved itself. I’d ordered a dedicated IP from my host and it was applied last night, but I can’t see it causing this issue as all other sites under the same domain were functioning as normal. I’m still convinced this plugin was responsible (no offence) as it’s too much of a coincidence for it to occur immediately after activation, so I won’t be installing it again.
It’s definitely confusing how it ocurred and resolved itself just as randomly but I’m afraid I can’t risk delaying this project any further by trying to re-create the issue. If I try it in another project tho I will let you know how it goes just for reference sake…
Doug (May 21, 2010)
Hello. On a WP 3 beta2 site (non-live site) I tested the plugin, and I noticed the following. The Admin could login, but no other user roles could login. Also, once I got locked out for the huge bunch of hours because of trying each user role, I tried to get back into my site by deleting the plugin via FTP. No luck. I also tried deleting the quick-cache plug-in, and the cache folder, still no luck. Is there any way to use FTP to disable this and get back into my site? Or am I just stuck to wait for all those hours? Thanks for all you do! :-)
Doug (May 21, 2010)
My apologies! I had tested more than one plugin, and I seem to have deleted the wrong one! :)
I deleted another login plugin that already been deactivated before testing yours.
I feel sheepish. Let me try again.
The part about only Admin being able to login is accurate though.
Doug (May 21, 2010)
I feel even more sheepish. The problem of only Admin being able to login was not caused by this plugin. It was caused by another one. Forgive me! :-)
moggy (May 22, 2010)
For anyone who’s testing with WP3b2, feel free to check out the latest beta of this plugin. The required WP version is bumped to 2.8, and most of the changes are related to multisite integration.
Just download the development version from here.