Thanks, Dwarden, for the heads-up on this one.
Another development for WordPress:
https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/I'd rather would like to see a secure implementation of htps everywhere and we should really test at
https://www.ssllabs.com/ssltest/ The only advantage is admins can log-on somewhat more securely now.
Why the browser warns on a self-signed certificate and not for third party Let's Encrypt Certificates? Average users cannot distinct anymore between a real secure non-EV certificate and a Let's Encrypt 'toy'-one. And exploit attacks can now be performed over https-only.
Some tips to better protect your log-on credentials. Admins should have two accounts, one for daily use and one for special tasks.
Memebers of Admin-groups should have zero permanent users and users with authentication should rotate to perform certain tasks.
Use 2FA to protect against Phishing Attacks that are after your credentials.
Administration should always be performed by users without full admin rights.
With rights there should be the possibility that such rights could be withdrawn,
whenever such a task has been performed.
This is called Just in Time administration.
Applications should be performed according to a specific authentication role system.
Administration task should only be performed on high end security machines,
so-called dedicated systems.
A physical environment is always more secure than a virtual one.
There should not be browser hanging onto such a system or
there should be room to set up connections to or receive connections from internet addresses.
But also on the local user level the structures should be secure for exploit,
that may also endanger higher levels.
Tips from Roger A.Grimes.
polonus
