WordPress Administration Over SSL

Since this is my third straight WordPress related post it’s probably obvious that I spent some time digging into WordPress this weekend. This feature (WordPress Administration over SSL) has been in WordPress awhile and was available via plugins for some time before that. Administration over SSL encrypts the traffic between the browser and the server so no one can look in on your traffic. In the case of WordPress this means no one can pluck your password off the network. Without SSL your password is in clear text and can be read by someone who’s able to intercept (“sniff”) the traffic.

WordPress can either encrypt just the login or can encrypt the entire admin session. SSL can be slow and put more strain on the server so you may not want to use it all the time. Of course, your web server must be set up to enable SSL. SSL does require a certificate on the server and these certificates can cost money. But if all you want to do is use SSL for yourself a self-signed certificate can be used. Self-signed certificates aren’t suitable for e-commerce or public sites but it’s enough for what I need. The browser will balk at the self-signed certificate but most modern browsers will all you to add the certificate to the trusted certificates list and silently connect in the future.

I use a virtual private server (VPS) so I control everything from the OS on up and won’t have any trouble using self-signed certificate. I can’t say what other hosts will allow, you may need to buy a certificate from them and you may need to request SSL be enabled for your domain.

Once SSL is enabled and the self-signed (or real) certificate is installed you can enable WordPress administration over SSL by adding one of the following two lines to your wpconfig.php file:

To use SSL on logon only use: define('FORCE_SSL_LOGIN', true);

For SSL on logon and the entire Admin session use: define('FORCE_SSL_ADMIN', true);

Be sure to add it before the require_once(ABSPATH . 'wp-settings.php'); statement. I hastily pasted it at the end of the file and SSL Admin didn’t work for WordPress. Let’s not mention how long it took me to find the problem.

The URL should switch to https:// when you access /wp-admin and your browser should indicate it has a secure connection (such as a padlock in the status bar).

I have SSL enabled for the full admin session. I didn’t do any official benchmarks but performance does seem a little slower at times. But that could be because I’m expecting it and paying more attention. CPU usage also seemed briefly higher when I was running an SSL section, but again, it’s been awhile since I paid attention. But neither the performance or cpu usage were unacceptable and wouldn’t have raised an alarm or been noticed if I wasn’t watching.

The WordPress codex provides details about SSL Administration.

2 thoughts on “WordPress Administration Over SSL”

  1. I am using WordPress 2.9.2. I added a VirtualHost entry for 443, duping the info in the 80 VirtualHost entry but adding the SSL related info. Added the FORCE_SSL_LOGIN define and all works well (https shows in the HTML source for the login form but nowhere else).

    My only issue is that I can go to https://www.outsourcing-buzz-blog.com/ (or some other page other the login URL) and it doesn't redirect to the non-https page. I don't want (need) any of the pages to be https except for the login. Even if I changed it to FORCE_SSL_ADMIN, I would still have the same issue with the non-admin pages.

    Any thoughts in this area? Am I missing something? I think the FORCE_SSL_LOGIN/ADMIN does part of the job, but it doesn't handle redirecting all the https requests that should be http.

  2. @Rodger, if you type "https" in the URL then it will use SSL for any page since SSL is enabled for Apache. You could probably do some redirect rules but that's beyond me and not handled by WordPress.

Comments are closed.