According to the codex, the define just needs to be before this:
/* That's all, stop editing! Happy blogging. */
...
require_once(ABSPATH . 'wp-settings.php');
I just added the
define('FORCE_SSL_ADMIN', true);
to a site of mine that has a private SSL cert, and when I browsed to the site via the non-https URL; e.g., http://mysite.com/wp-login.php it redirected me to the new URL https://mysite.com without the redirect string that yours shows, and that’s putting the define for forcing SSL admin right above the line I mention above. If I try to go to the wp-admin folder instead, I get the redirect.
Then, I tried putting the define at the very top of the file, like you say you have it, and it still worked both to wp-admin (with the redirect) and to wp-login (without the redirect).
So I don’t think it’s something in your .htaccess. It looks like your changes to wp-config.php aren’t being paid attention to. Have you verified that the file is actually being copied to the server and that the permissions on the file are correct (644)?
Is your server using any fancy caching software that would account for your modified wp-config.php not being loaded immediately, maybe?
Thread Starter
MStenz
(@mstenz)
Thanks for the response – I’m still not understanding why I’m getting the redirect in the string, but I believe I have it working. I had a commenting error in the wp-config.php. Sometimes have to watch what I copy and paste.
Ah, yes. That commenting error would do it.
I believe you get the redirect in the string when you start at the http://yourdomain.com/wp-admin URL; it redirects you to the wp-login.php script. That’s normal. The important thing in terms of SSL is that the redirect string contains “https” rather than “http.”
Thread Starter
MStenz
(@mstenz)
OK – thanks for the help.
On the same subject, just found another SSL issue, which may be a bug?
So, if I do a password reset, I get an e-mail that says:
Someone requested that the password be reset for the following account:
https://blog.domainX.com
etc etc etc
Now, the problem is, is it putting https:// for the site URL, which causes some complications when clicking on the link. After reviewing wp-login.php it seems the line of code is calling ‘network_home_url’ – so at some point in the logic it is taking the FORCE SSL into account. Not sure there is a way around this other than to hard code that line.
What complications does that cause when you click the link?
If you have a private SSL certificate it should just display the site in SSL mode without any warnings. What’s happening?
Thread Starter
MStenz
(@mstenz)
For the record, I’m just using a self signed cert in a sandbox, so I’m not sure if these issues would remain with a certificate authority once I try live. Nonetheless…
In IE, I get a popup that only secure content is being displayed. Chrome doesn’t show any warnings, but both browsers display the same symptoms. It just looks like the stylesheets are off, padding is off, super large text, overlapping widgets, some images not being displayed…just a mess.
If you have a private cert I think you may still get those security warnings because if your main domain is set in Settings -> General to an “http” a lot of the “src” attributes to images and such will not be “https,” so you will have both secure and insecure items on a given page.
One alternative would be to switch your entire site to run via SSL, which I have done for sites that had ecommerce plugins and does theoretically reduce the speed a bit, but I have found it is not noticeable.
Are you using
define('FORCE_SSL_LOGIN', true);
or
define('FORCE_SSL_ADMIN', true);
It may be that with SSL admin only you wouldn’t be getting this effect.
Thread Starter
MStenz
(@mstenz)
When I used:
define(‘FORCE_SSL_LOGIN’, true);
I did not get the login page to force SSL.
So right now, I’m using:
define(‘FORCE_SSL_ADMIN’, true);
That works, with SSL login AND the admin as it should, but I have that https:// added to site root. I’m not sure I’d want to carry the entire site via SSL if I can help it, at least not for an issue like this. It’s not going to be hit that much, just want to cover all scenarios.
Once you get it set up on live site, you might repost about the https with the password recovery link and see if someone has an idea.
