CHAP Secure Login

> wordpress-2.5 (current version 1.5.2) [download]

< wordpress-2.3 (old version 1.2) [download]

A cosa serve?

Il plugin nasce dall'esigenza di rendere sicura l'autenticazione al blog nel momento in cui ci si trova su canali insicuri, come wireless ad-hoc non protette e non si ha la possibilità di usare sul proprio server un protocollo sicuro come https.

Come si installa?

Per installare il plugin basta seguire la seplice procedura di qualsiasi plugin per wordpress, ovvero quella di prendere il file compresso ed estrarlo nella cartella wp-content/plugins. Quindi in definitiva avrete il seguente percorso wp-content/plugins/chap-secure-login con all'interno un file php e un file js.

Come si usa?

Il suo utilizzo è molto semplice, dopo averlo attivato dall'apposito pannello di configurazione dei plugin all'interno di wordpress, basta fare il logout e provare a loggarsi dinuovo. Dopo questa operazione la password viaggerà cifrata anche su canali insicuri.

Come funziona?

la figura di seguito illustra il suo funzionamento basato sul protocollo CHAP. In cui viene utilizzato un numero casuale per cifrare la chiave e verificarla.

questo post "SSL assente? No problem... usa CHAP login system" viene spiegato meglio come funziona questo protocollo.

Versione Italiana

What does it do?

I did this plugin because I needed to secure the authentication on the blog, whenever we are on an insecure channel like non-protected ad-hoc wireless links; even if you cannot use on your server a secure protocol like https.

How do I install it?

To install the plugin, you can follow the simple procedure that is commmon to many other wordpress plugins; you only have to decompress the file in the directory wp-content/plugins. So, the final path will be wp-content/plugins/chap-secure-login/ that will contain the .php file and the .js file.

How do I use it?

It is very easy to use it; after that you have activated it from the wordpress plugins panel, you only have to logout and try to login again. After this operation the password will be encripted even on insecure channels.

How does it work?

The downside image explains the way it works, based upon the CHAP protocol. It uses a random number to chiper the key and to verify it.

This can help you "SSL assente? No problem... usa CHAP login system" and don't forget to leave a comment if it works (or not).

Common Mistakes:

Many people do copy only the files in the wp-content/plugins/ directory. This is a bad behavior. You should have a wp-content/plugins/chap-secure-login/ with two files, chapsecurelogin.php and md5.js .
If something goes wrong... Simply delete the files that you have copied on wordpress via ftp. This restores wordpress default logging system. Check the "common mistakes" area!

Reader's Comments

Musikele | agosto 27th, 2007 at 18:43
Primi problemi riscontrati….
1. bisogna specificare meglio, e chiarire, che la cartella CHAPSecureLogin deve essere copiata dentro wordpress. Io nella mia cazzimma ho copiato solo i files, e il risultato è stato che non riuscivo più a connettermi. Per fortuna via ftp ho cancellato i files e tutto è tornato “standard”. Ora il plugin funziona, almeno sembra funzionare (non ho tool per vedere cosa passa davvero sul canale).

C’è solo un piccolo, grande problema (più estetico che altro): quando premo il bottone “esci” mi viene generato questo warning:

Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/mhd-01/www.ilparticolarenascosto.it/htdocs/wp-login.php:30) in /home/mhd-01/www.ilparticolarenascosto.it/htdocs/wp-content/plugins/CHAPSecureLogin/chapsecurelogin.php on line 30

Se hai letto il mio precedente post, ho scoperto che questo tipo di warning “headers already sent” viene lanciato quando il file .php contiene degli spazi prima di ; Nel file wp-login.php alla riga 30 c’è qualcosa di strano, un ?>> (il primo chiude il php e l’altro chiude una cosa html); in pratica ha davvero già mandato gli header ma non credo che puoi metterti a modificare quel file, fa parte dell’istallazione standard di wordpress.
Cosa suggerisci? Io non ho nè idee nè soluzioni dato che so molto poco di php e del suo funzionamento intimo.
comunque, a parte questa noia che entra in scena quando ti disconnetti, tutto funziona (o almeno io riesco ad accedere).
Musikele | agosto 27th, 2007 at 18:46
merda ! quando dico “prima di ;” si è mangiato i tag di apertura e chiusura di php. Nel mio sito me li fa mettere perchè converte i caratteri speciali in entità html.. bah!
RedSend | agosto 27th, 2007 at 20:33
miky ho specificato con più precisione il percorso che deve comparire nella cartella dei plugin, anche se quando dico estrarre il file in quella cartella automaticamente compare il percorso giusto, comunque…

Per quanto riguarda il warning che ti dà quando fai esci a me non lo segnala, forse perchè i warning sono disattivati sui server di aruba. Comunque ho capito il problema, devo solo vedere come risolverlo, appena mi ci metto e trovo la soluzione aggiorno il plugin e lo segnalo.

Grazie della segnalazione.
Manne | agosto 30th, 2007 at 23:13
Hello

I tried this plugin but after activating it, logging out, and trying to log in again, I got a “wrong password” messege. I had to remove the plugin via FTP to be able to login again..

What went wrong?
Musikele | agosto 31st, 2007 at 03:48
Hi Manne,
I think you made my same mistake: you did copy only the file and not the directory on your wordpress.
Example: if you want to copy the plugin, it should be located into /wp-content/plugins/CHAPSecureLogin/ . The two files to copy are chapsecurelogin.php and md5.js . If you do this, you should avoid the problems with the password.

Try it, and if you have problems, we’ll find a way to fix it.
If you write again (we hope so), don’t forget to tell us the wordpress version you’re using. We have tested it on the 2.2.X versions.

(to the admin: Can you send this comment via mail? Otherwise he’ll forget to check the page.. **ITALIAN**: vuoi inviare questo commento per mail? altrimenti mi sa che si dimentica di tornare qui a controllare… )
Musikele | agosto 31st, 2007 at 15:52
Ora ti traduco questa pagina in inglese, poi ci metti un link da qualche parte (English version) e ci togliamo il pensiero ok? te la mando per mail…

Michele
RedSend | settembre 6th, 2007 at 02:12
Ecco ho appena finito di sistemare la versione in inglese della pagina. WordPress mi ha fatto dannare con il suo editor per inserire questo benedetto javascript che cambia lingua nascondendo e mostrando il testo opportuno.

Alla fine ho trovato molto più comodo creare un nuovo template di pagina e inserire tutto quanta.

Comunque ecco quà la versione in english…
RedSend | settembre 20th, 2007 at 20:52
A breve verrà resa disponibile una nuova versione con qualche modifica riguardante la correzione di alcuni errori.
Musikele | settembre 22nd, 2007 at 13:16
e ringraziamo Michele Nasti che grazie alla segnalazione-errori ti ha pure fatto pariare a modificarmi wordpress! sei un idropenesaturo
smartzul | settembre 29th, 2007 at 19:02
Thanks for your great plugin!

I’ve apply it to my blog. Thanks again!
raphè | ottobre 13th, 2007 at 22:19
volevo comunicare che siamo stati recensiti e linkati da questo articolo
http://jamesmallen.net/2007/09/16/semisecure-login/
Robert Kinder | novembre 22nd, 2007 at 19:07
Running WordPress 2.3.1. The plugin works fine with FireFox 2.0.0.9. However, I get a wrong password error with IE 7.0. I can login under IE 7 with CHAP disabled.

The plugin is installed in the /wp-content/plugins/CHAPSecureLogin/ directory.

Let me know if I can provide additional information.

Thanks
Robert
RedSend | novembre 22nd, 2007 at 20:22
yes robert, under IE 6/7 it doesn’t work. I think the problem is in javascript, it is the classic problem of compatibility between firefox and IE. I hope that in the next version of the plugin i would resolve this problem. In the coming nights i’ll work on this problem…
RedSend | novembre 23rd, 2007 at 21:57
Nuova versione del plugin, ora compatibile anche con explorer… (post)

New version, now it is compatible with explorer… (post)
Manne | novembre 26th, 2007 at 14:33
Thank you for the answer, I got it working now – I don’t know if it is because I had missed uploaded the entire directory, or that I have updated my WordPress install…
al | febbraio 11th, 2008 at 17:00
thank you for your cool plugin!
I’ve applied it successfully to my blog.
Karagioz | marzo 1st, 2008 at 00:49
Hi, the plugin ends the session too soon for my liking ,and i have to log back in. Is there a way to change the duration of the session , so i stay logged in for longer?

Thanks for your work!
rd Limosin | marzo 30th, 2008 at 06:41
Hi. There’s a problem in your plugin where i install it in WP 2.5 (new version of WP).

Your plugin is very useful for me. Please upgrade it. Thx!
RedSend | marzo 30th, 2008 at 15:04
Thank you for your alert. In the next days I try to find few hours for update it.

Bye…
Maxi | aprile 7th, 2008 at 23:49
This script doesn’t work, I upload in the correct directory but it is not work.
With FF and Opera not work.
It’s say incorrect login, but when i disable the plugin i can login

Max
RedSend | aprile 13th, 2008 at 12:10
I have looked wordpress 2.5 the last week, but at present is not possibile to install this version of plugin.
There is no way for adapt the plugin to the 2.5 version, due to how wordpress store the passwords in the database.
I must study another method for trasmission, on insecure channel, the password.
RedSend | aprile 17th, 2008 at 13:01
The plugin version for wordpress 2.5 is ready and now in testing.
RedSend | aprile 21st, 2008 at 14:08
With high probability the version 1.3 does not work with Explorer.
The way I am » Plugin CHAP Secure Login | aprile 24th, 2008 at 00:11
[...] CHAP Secure login [...]
RedSend | aprile 24th, 2008 at 13:33
Now, version 1.4 for wordpress 2.5 work fine with Explorer.
Max | aprile 24th, 2008 at 15:45
I try again, but still without work. I upload all like the manual say, but nothing.
This is my last comment, still the same

This script doesn’t work, I upload in the correct directory but it is not work.
With FF and Opera not work.
It’s say incorrect login, but when i disable the plugin i can login

Max
RedSend | aprile 25th, 2008 at 20:38
I try to login with explorer 6 and 7, with firefox and opera and work fine in all case. Other persons use this plugin without problems.
Teenburg | maggio 6th, 2008 at 05:10
best plugin CHAP Secure Login!
WordPress 2.5.1 – Firefox 2.0.0.14, IE7, Opera9.27
all good worked. thnx
Teenburg | maggio 6th, 2008 at 05:24
I’m use MD5 Password Hashes and CHAP Secure Login
baron | maggio 11th, 2008 at 00:11
hi. Thanks for plugin

perfect.

regards
Gabriele | maggio 23rd, 2008 at 12:34
I’ve experienced a lot of problem with this plug-in.

I’ve installed it with WP 2.5 and when I was trying to log in I’ve ever got “500 Internal server error”.

I’ve erase it via FTP and now all works fine.
WordPress Plugins Database » Plugin Details » Chap Secure Login | agosto 1st, 2008 at 06:35
[...] Visit [...]
Klark | settembre 4th, 2008 at 18:27
Does this work with WPMU?
» Chap Secure Login - WordPress Plugins Catalog | novembre 16th, 2008 at 10:38
[...] Plugin Homepage » [...]
redsend | maggio 4th, 2009 at 13:58
La versione 1.5.1 è disponibile…

Con questa versione è possibile collegarsi anche attraverso quei programmi per postare e gestire il blog da una diversa interfaccia, come Windows Live Writer, KBlogger, etc…

ATTENZIONE perché in quel caso la funzionalità di cifratura della password viene disattivata, non può essere altrimenti.
redsend | maggio 4th, 2009 at 14:04
The version 1.5.1 is avaible…

Now is possible to use the blogging software like Windows Live Writer and Kblogger to manage the blog.

WATCH OUT: in the case above the security is not provided by the plugin.
redsend | gennaio 6th, 2010 at 13:00
New version avaible…

Now is possible to see, in the login page, when the plugin is activated or not.
Jubi | aprile 5th, 2010 at 17:11
Hello there.

i, trying to secure my admin wordpress instalation with your plugin.

but im not getting it to work corectly.

what i did:
- download it to the plugins folder
- activated the plugin

- tried loging in with user_1
– first trie:
– result: message password not encrypted
– second trie
– login sucessful

logout
– third trie
– user or pass error
– fourth trie
– user or pass error
– fifth trie
– user or pass error
.
.
.

with another user the results are the same
1 – message: password not encrypted
2 – login sucessful
3 – user or pass error
4 …
5 …
5 …
.
.
.

any feedback would be great.

good luck with your plugin

best regards from Portugal
Jubi
Lee C | maggio 23rd, 2010 at 21:46
In theory, this is exactly what I was looking for (I’ve just paid $30 for a dedicated IP as I was led to believe that once an SSL certificate was installed my domain would provide this functionality…turns out this is far from true!), unfortunately though when I log in I receive “CAUTION: Password is sent unencrypted” and the page reloads without logging me in, minus the padlock below the username field with an empty red box above the username field…(??) I hit the back button and again receive the same dialog message, and the padlock image is still missing from the page. I was able to log in this time but I assume the login bypassed the encryption procedure since the padlock wasn’t there! Any idea what’s going on here/how to resolve this??

Thanks in advance,

Lee C
Lee C | maggio 23rd, 2010 at 21:58
UPDATE: Just tried again and the same thing happened, and noticed that every time I reload the page (after hitting the back button), despite both the username & password fields being empty I still receive this message (which is actually “CAUTION!!! Password is sent unencrypted.”). This would imply that the plugin has stored the password and is re-sending it “unencrypted” every time the page is reloaded…doesn’t take a genius to realise this is a MASSIVE security risk!! :-/
Lee C | maggio 23rd, 2010 at 22:03
And this happens with both Internet Explorer and FireFox (latest versions of both)… Apologies for the the triple posting, would REALLY help if the admin added a plugin to allow commenters to edit our own comments…
redsend | maggio 24th, 2010 at 18:54
Hi Lee C,

I don’t understand your problem, can you give me more details? For example when it happens? Which version of wordpress is installed?
Intuitively, if you push the back button is normal that doesn’t work because is a cached paged and the encryption system needs a new seed each time. Anyway send me an email with more details and we will try to fix the problem.
bagno | maggio 26th, 2010 at 05:46
is this available for drupal too?
redsend | maggio 26th, 2010 at 08:58
I’m sorry, is made only for wordpress.
ebad | giugno 20th, 2010 at 12:13
i tried this one. logged out then logged back in. i logged in many times then got a message that password was sent unencrypted then i was able to login already. What about if a different user were to login, would that always be the case?
redsend | giugno 20th, 2010 at 20:30
Hi ebad, the plugin changes the way in which the password is stored, so every first time you enter the password it will tell you that the password is sent unencrypted.
+7 Plugins para aumentar la seguridad de Wordpress | Pixelco Blog | giugno 24th, 2010 at 16:02
[...] CHAP Secure Login: http://www.redsend.org/chapsecurelogin [...]
19 плагинов WordPress для защиты блога | Леднёв.ру | luglio 7th, 2010 at 09:34
[...] зайдете в админку. Совместимость: WP 2.5 – WP 2.7.1 | Скачать TAC – Theme Authenticity Checker TAC (Theme Authenticity Checker – Контролер [...]
Plug-in penting di Blog Wordpress anda « Rahasia Otak | agosto 13th, 2010 at 21:49
[...] Chap Secure Login, Login LockDown (bad-neighborhood.com), Secure Admin (wordpress.org/extend/plugins/secure-admin), WP Security Scan adalah plugin security wajib bagi admin blog. Gue pasang semua sob. Mantap! [...]
James Tan | agosto 31st, 2010 at 05:11
Hi redsend,

is there a way to change the ” is sent unencrypted” to another message e.g. Please login again?

thanks,
James Tan
redsend | agosto 31st, 2010 at 11:41
It will be!

Stay tuned…
The Best Security Plugins for WordPress | settembre 3rd, 2010 at 21:40
[...] Secure Login (Download): If you are not having a secure connection like SSL to protect your password, then you can use [...]