wordpressauthenticationchallenge-response

Does Wordpress encrypt the login-credentials in the browser before they get send to the server?


I am wondering if someone who hacks a Wordpress site and who installs a Wordpress module on the server is able to read all user credentials from the users who logon. I know the passwords are stored as hash in the database and are more or less useless if they read out, but I mean users who logon as long as a threatening Wordpress module is active.

Does Wordpress send the user login data as clear text to the server (I know that via TLS is the traffic encrypted, but it gets decrypted on the server), or does some hashing or similiar operation already happen in the browser (Challenge-Response) that the user credentials never leave the computer/browser where they got entered?


Solution

  • Does Wordpress send the user login data as clear text?

    Yes. Logging in is a pure form post.