Since this is my third straight WordPress related post it’s probably obvious that I spent some time digging into WordPress this weekend. This feature (WordPress Administration over SSL) has been in WordPress awhile and was available via plugins for some time before that. Administration over SSL encrypts the traffic between the browser and the server so no one can look in on your traffic. In the case of WordPress this means no one can pluck your password off the network. Without SSL your password is in clear text and can be read by someone who’s able to intercept (“sniff”) the traffic.
WordPress can either encrypt just the login or can encrypt the entire admin session. SSL can be slow and put more strain on the server so you may not want to use it all the time. Of course, your web server must be set up to enable SSL. SSL does require a certificate on the server and these certificates can cost money. But if all you want to do is use SSL for yourself a self-signed certificate can be used. Self-signed certificates aren’t suitable for e-commerce or public sites but it’s enough for what I need. The browser will balk at the self-signed certificate but most modern browsers will all you to add the certificate to the trusted certificates list and silently connect in the future.
I use a virtual private server (VPS) so I control everything from the OS on up and won’t have any trouble using self-signed certificate. I can’t say what other hosts will allow, you may need to buy a certificate from them and you may need to request SSL be enabled for your domain.
Once SSL is enabled and the self-signed (or real) certificate is installed you can enable WordPress administration over SSL by adding one of the following two lines to your wpconfig.php file:
To use SSL on logon only use:
For SSL on logon and the entire Admin session use:
Be sure to add it before the
require_once(ABSPATH . 'wp-settings.php'); statement. I hastily pasted it at the end of the file and SSL Admin didn’t work for WordPress. Let’s not mention how long it took me to find the problem.
The URL should switch to https:// when you access /wp-admin and your browser should indicate it has a secure connection (such as a padlock in the status bar).
I have SSL enabled for the full admin session. I didn’t do any official benchmarks but performance does seem a little slower at times. But that could be because I’m expecting it and paying more attention. CPU usage also seemed briefly higher when I was running an SSL section, but again, it’s been awhile since I paid attention. But neither the performance or cpu usage were unacceptable and wouldn’t have raised an alarm or been noticed if I wasn’t watching.
The WordPress codex provides details about SSL Administration.