In August 2013, a new Web Vulnerability has been released, in some words : "HTTPS can be hacked in 30 seconds".
If you're using the HTTPS (TSL or SSL) at any level (admin, front, event for 1 page) you HAVE to protect your site against this flaw now.
How ? Just install this free plugin!
- Extract the plugin folder from the downloaded ZIP file.
- Upload Bthe folder to your /wp-content/plugins/ directory.
- Activate the plugin from the "Plugins" page in your Dashboard.
- Done!
You can (and i encourage you to do it) define 2 constant in wp-config.php file :
BBA_REPEATER : used by this plugin to add a new secret srting in each nonces (e number used once to create a secure token and avoid CSRF flaws), default is 2, min is 1, no max, just change it.
BBA_NONCE_LENGTH : From 4 to 32 with 10 for default value, you can modify the length the each nonces in WordPress, the longer, the better
Also, WordPress includes a "nonce_life" filter hook. Its default value is 1 day, i suggest you to low this value, like 12 hours or 6 hours (DAY_IN_SECONDS /2 or /4)