-2

During our last PCI scan, we received these 2 fail points: "Basic Authentication over HTTP" and "Web Page Transmits Login Credentials Without Encryption." Both were on Port 2077.

Though our Wordpress website has an SSL, it seems as if logging in is still authenticating over HTTP. How do I get the website to use SSL for authentication?

Arvy S.
  • 15
  • 5

1 Answers1

5

It is very likely that there is a second web service listening on your server, and the PCI scan is finding and complaining about that service, not your Wordpress instance. As @deviantfan suggests in a comment, port 2077 is one known to be used by cPanel.

You can verify what's there by browsing to http://yoursite:2077/. To remediate your PCI scan finding, you'll need to either disable the service that's listening to that port (ideal, if it's unused), or secure it with SSL. You should also consider blocking all but necessary ports using a firewall, as you've just seen what happens when ports you don't know about crop up.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I went to yoursite:2077, and it asked for a username and password to "Log in to yoursite" It seems like it's used by cPanel, but I'm not sure. How do I disable the service or secure it with SSL? – Arvy S. Jul 14 '18 at 21:38
  • I assume you're using a hosting solution, rather than running your own server or VPS. In that case you should contact your provider and ask them how to disable it. – gowenfawr Jul 14 '18 at 22:16
  • Will it be OK to block/disable port 2077? What negative effects will this have, if any? – Arvy S. Jul 15 '18 at 05:35
  • It is unlikely to have any negative effects, because if you didn't know it was there until your ASV pointed it out to you, then you're not likely to be using it. – gowenfawr Jul 15 '18 at 22:43