Not relevant to the WordPress part, but can someone explain to me why websites like eBay don't run on HTTPS except during login? Doesn't that allow any sniffer to steal your authentication cookies?
If a user gets their credentials hijacked, and a hacker makes a bunch of unauthorized purchases with their saved credit card, who's the customer going to call? AliExpress or their bank to mark the purchase and fraudulent and refund the money?
To them, they're merely supplying the vehicle to do business. It's the payment processing companies, the banks and third party vendors who handle the money, so its their responsibility to notice the charges and shut the account down.
Like last week, I got a call from my bank asking if I was making purchases in Belgium, Norway and France. I was like, "Uhhhhhhhhhhh no, that's fraud." They blocked the purchases first and THEN called to confirm with me. It was pretty obvious based on my banking behavior this was out of the norm and immediately flagged. It wasn't the travel sites fault they let it happen, it would've been my banks problem if they let those purchases go through.
I'm glad they have an incredible fraud detection system. This is the second time they've flagged something on my account and shut these down before any damage could be done.
Is identity theft not their issue? That site includes a history of your buying/selling habits, your address, your phone number, your payment information... screw the money itself, there's a lot more damage a nefarious eavesdropper can do than make a purchase with your account in Belgium.
Identity theft is non-thing, a lie made up by unscrupulous creditors to pretend it's not their fault for incorrectly authorizing a criminal then charging you for it.
Think about it: This information you're revealing to eBay is basically the same for any other online merchant. If that's enough to "steal your identity", where does the problem really lie?
Yes and it doesn't even protect the password appreciably either.
User logs in with HTTPS, gets redirected to HTTP site and the MitM throws up the "Incorrect password try again" page. User types their password and transmits it over HTTP or JS steals it etc. etc.
eBay does it because they aren't sufficiently interested in protecting against MitMs.
The web isn't ready for HTTPS only yet but it will happen over time.
It's already pretty much happened, I can search google, browse wikipedia, read email, HN and reddit, even click the images on imgur all without leaving the SSL comfort zone. Even facebook seems to have taken this route. Most big sites now offer SSL-only.
No.
Providing the cookies are set with secure flag (https://www.owasp.org/index.php/SecureFlag), that will mean the browser won't send the cookie over http requests, only on https requests, and to answer the other comment below about 'JS snarfing', that is mitigated by setting the cookie as httpOnly (https://www.owasp.org/index.php/HTTPOnly) which doesn't mean http vs https, it means not accessible via DOM JavaScript.
As for their reasoning... maybe performance, but more likely laziness.