EDIT: downloading the nice plugin recommended in this post will now break your blog if you’re using WordPress 2.5 – the wordpress authors have made some incompatible changes. But it’s OK – bengreen has fixed the plugin, and made a new version available (read here for some very basic information on what will break and idiot-proof instructions on how to fix it)
I had a nasty shock when I realised that wordpress by default has no security at all. Anyone in your office who doesn’t like you and has a basic knowledge of using google can potentially steal your admin password and take complete control of your blog. This is, really, pretty mind-blowingly stupid – I love wordpress, but “no HTTPS support out-of-the-box” is frankly irresponsible, especially for a product used by so very many people across the world. The only good part is that AFAICS on a quick glance there’s no easy way of taking control of the entire webserver if you’re the wordpress admin (plugins still have to be manually uploaded, so you’d need separate access to the server to manage that).
What follows is a discussion of how to fix this, along with links to step-by-step guides that worked well, and an extra note on how to complete the process without doing the “login once insecurely” that all the guides tell you to do at the end.