SSL secure logins for WordPress
You need a SSL certificate first. I have Comodo one, hence the SSL site seal (will be given when you get your certificate).
Once the certificate is setup, as I found, if you want SSL through the whole WordPress site, you’ll run into issues in IE. This issue is only if your site contains none HTTPS stuff. Stuff means embedded images from elsewhere or embedded videos. Mine were the embedded YouTube videos and some of the image links at bottom of site. Because they link are based at HTTP sites, IE will give the user a warning that some of the content is insecure and do they want to only view the secure content. If the user clicks Yes, half your site might not be visible to them.
Sadly, as we are aware a lot of people still use IE, this might cause issues. Although this blog is only meant for my IT notes, I like other people to view it. So I’ve had to annoyingly turn off HTTPS across the whole site. Waste of a certificate maybe, waste of the dedicated IP on my hosting maybe. But I was just interested in how SSL worked.
Anyway. I’ve now just put it to use on the login page instead. The admin login page for me now displays as HTTPS. So if on a hotel network, I can login to the site knowing the password is being sent over HTTPS and encrypted. So MUCH less chance of the password being sniffed. Yes, I’m well aware of SSLStrip but it’s less of a risk than plan old HTTP.
Thought I’d have to hunt down where the link to the login page was in the code to change the link the login page to HTTPS but turns out you can just put this in the wp-config.php file.
You’ll probably see
define(‘FORCE_SSL_LOGIN’, false);
Just change that to TRUE. And I’ve also added this ADMIN line.
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
That will now force all SSL logins but ALSO Admin sessions to be SSL.
Work this out myself?
No 🙂
Info is here
http://codex.wordpress.org/Administration_Over_SSL