When I am traveling I frequently publish my travel stories from internet cafés on this weblog. However, these places are not the safest computing places. I have seen a lot of worrying messages from virus scanners nobody pays attention to.
Because of this I have been searching for ways to improve security. One measure I took was installing the Semisecure Login Reimagined plugin to send the WordPress password encrypted from the browser to the server (a better way is to use SSL, but my hosting provider doesn’t support that).
However, sending the password encrypted doesn’t prevent keylogging. A possible solution is to use a virtual keyboard (on-screen keyboard). Because I don’t want to search for or install a virtual keyboard each time, I wanted a virtual keyboard integrated in my login screen. I couldn’t find something existing, so I decided to write a new WordPress plugin to accomplish this. The short name of this plugin is WP-Login-Vkb.
After pressing the keyboard icon next to the password box, my login screen looks like this now:
Installation of the plugin is straightforward:
- Download and unzip the plugin
- Upload the entire wp-login-vkb/ directory to the /wp-content/plugins/ directory
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Optionally change the default settings on the options page
The plugin was tested with WordPress version 2.7 on a standard (not customized) login screen. Please let me know if the plugin does work with other WordPress versions (especially older versions).
Please note that I cannot guarantee this plugin will prevent keylogging in all cases.
The plugin is licensed under the GNU General Public License version 3. The plugin uses the Javascript Virtual Keyboard downloaded from The Code Project. The keyboard icon was downloaded from Wikimedia Commons.
Remarks, comments and questions are as always very welcome.
i want to know that does this virtual keyboard change its keys position after refresh or reload.
and how can i use this for my application ?????/
please help
All details about the embedded virtual keyboard can be found here.
Thanks for the plug-in it is fine with WP2.8.2. I would further ask how to make all texts embraced in the keyboard boundary. Like shorten AltGr to Alt or BackSpace to BkSpace?
If you want to edit the keyboard layout, take a look in the chapter Creating Your Own Language Layout of the documentation of the JavaScript Virtual Keyboard library.
Please note the plugin is not working in Internet Explorer.
A easier and safer way to protect your WordPress password is the One-Time password plugin.
Great thanks for that, it looks lengthy and will digest it. It doesn’t matter for I.E., I use FF a lot.
I used One-Time password already, tks again and both work fine with WP2.8.3 locally and remotely.
Not working for ie .
Unfortunately the main problem seems to be in the keyboard library itself.
The virtual keyboard does work in Internet Explorer with version 0.2 of the plugin.
Using an onscreen keyboard does not fool but the most basic (stupid) keyloggers/spywares. I can recommend the comparison of technologies at kyps.net/home/comparison for different approaches and their advantages and disadvantages.
I am wondering if you can justify this statement.
I think it is quite obvious: there is nothing to stop the spyware to capture your input – no matter how exactly this input is made. Keyloggers/Spyware nowadays can capture areas that have received mouse clicks, the clipboard, and all sorts of system calls. Use google to find out…
I don’t deny that more advanced keyloggers can and will capture input from other sources than the keyboard. However, I am not convinced that data captured in that way is used on a large scale (in an automated way) for malicious purposes, yet.
With the lack of reliable sources of information about what is really going on “in the wild” (and I would expect that this may greatly vary by location) I can only speculate. And basing security decisions on speculation – well that’s the definition of risk, isn’t it?