WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BulletProof Security and SSL for wp-admin? (6 posts)

  1. nv1962
    Member
    Posted 3 years ago #

    I installed BPS on a site that has SSL enforced for the entire wp-admin area of a WP3.0.4 site, and that just didn't work. That is, this works: enabling the plugin, checking the status, backing up the original htaccess files, activating the top-level htaccess protection. Perhaps I should say it sort-of works, as the otherwise pretty jQuery UI tabs don't show up, other than as styled lists (perhaps due a hard-set call to the Google hosted JS libs?). However, functionally everything pans out so far.

    But then, activating the htaccess protection for wp-admin - this didn't work. That is: empty page thrown back, and general misery until I dove in via FTP and renamed the BPS plugin folder (a crude way to deactivate it, but it works).

    I'm not sure that many sites have a private cert (and unique IP) to support a "proper" private https access for their site, but in our case (a non-profit association) we wanted to make sure that access over WiFi was secure enough to not bother too much about insecure APs (especially for registration, which entails fairly detailed professional data).

    So... Is there light at the end of the tunnel for those of us using SSL to rework all the BPS related wp-admin calls to (especially external) resources, such as scripts and css and image files?

    Thanks in advance!

    Added later: at least, so that the insanely awesome WordPress HTTPS can take over and automagically rework calls to https versions...

  2. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    Hi,
    The first issue you are describing sounds like a PHP4 issue. You are running PHP5 correct? PHP4 will break the BPS menus and cause several other problems. Also BPS works in a dedicated hosting environment, but in some cases has required a little tweaking.

    BPS has never been tested in an SSL environment and there is no SSL based .htaccess coding so I am not surprised that it didn't work for you right out of the box. You would probably need to add coding such as this code below to redirect port 80 to https and possibly several other custom coding additions so if the other plugin is working out for you right out of the box then stick with it. ;) This is just a rough coding example of course. I would have to actually play around with an SSL certificate and check everything out from top to bottom. Most likely it would only take a few minutes to add or modify the necessary htaccess code to do what you want it to do.

    RewriteCond %{SERVER_PORT} ^80$
    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

    I will definitely look into this down the road, but as you stated there are not that many people that are using SSL certificates so this issue automatically takes a lower priority. :(

    Interesting that you needed to rename the BPS folder and deactivate BPS at all. Typically just replacing the .htaccess files is all that is needed to put your site back where it was. The plugin files themselves should logically not come into play at all regarding the differences between HTTP and HTTPS. Possibly just a PHP4 issue???

    And this doesn't make any sense to me???
    "...for those of us using SSL to rework all the BPS related wp-admin calls to (especially external) resources, such as scripts and css and image files?"

    The plugin files themselves do not interfere whatsoever in an HTTP or HTTPS environment??? Hmm. Since I have not tested this personally I can't really offer any advice on that sorry.

    I took a look at the plugin you mentioned and it looks like it might be a good one. Not a whole lot of users, but that is probably just because SSL / HTTPS site setups are not as common.
    Thanks,
    Ed

  3. nv1962
    Member
    Posted 3 years ago #

    Wow Ed, thanks for that thorough explanation! About the first issue: yes, we're running PHP 5.2.14 so I don't think it's a version induced problem. Also, to be sure: the use of SSL is an issue that primarily relates to wp-admin access (including, of course, login and registration - to protect the innocent and clueless WiFi users alike).

    However, we'd like to also be able to select just a few more pages for "forced" SSL access (e.g. event reservations, contact form) which then, of course, would complicate things even more.

    Either way - I full well acknowledge that this "issue" is relevant to a very tiny group of users. Then again... I suppose it's reasonable to surmise that that tiny group may well on average have mid-to-higher traffic levels (hence the interest in SSL and security in general, to begin with) which suggests they're generally more prone to being strafed by bad bots. I.e. it might make it interesting as a test lab. However: I'll also admit that I'm just trying to seem like a slightly more relevant tiny minority here! ;-)

    Thanks again - I very much appreciate your hard work for making the WP reliant community a better, safer place.

  4. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    Yeah i like to blab at any chance i am given. LOL. Even though your web host is telling you that you are running PHP 5 you should double check that. I assume you no longer have BPS installed or you could just check the System Info page to verify this. I have had about 20 or so people contact me saying they were running PHP5, but they had older domains that were still running PHP4 even though their web hosts had PHP5 set as the default. This has occurred on several different web hosts so it is not an isolated incident to a particular web host.

    If you wanted to force HTTPS for particular pages then you would put those pages in a directory / folder and force HTTPS on that folder:

    RewriteEngine On
    RewriteCond %{SERVER_PORT} 80
    RewriteCond %{REQUEST_URI} SSL-protected-folder
    RewriteRule ^(.*)$ https://www.your-domain.com/SSL-protected-folder/$1 [R,L]

    The other plugin you mentioned probably already has something like this automated (checkbox or textbox) in its settings page I assume.
    Thanks,
    Ed

  5. nv1962
    Member
    Posted 3 years ago #

    Good point, about double checking the PHP version. I'm positive about the version, though. Perhaps for others: when in doubt, create a blank text file and name it something like versiontest.php or something (it's not a good idea to name it as often is done info.php as it tends to be forgotten out there and it does give a very detailed run-down of your PHP configuration) and then put the following in it:
    <?php phpinfo() ?>
    Save it, upload it, visit it and look at the PHP version.

    And then delete that file, you don't want to hang a blueprint with a detailed map laying out your home, posted outside the front door, either.

    Yes, WordPress HTTPS indeed adds a checkbox to every page and post, allowing it to be "hard-set" for HTTPS access. However, in our case things get complicated really fast as we also use a poor man's CDN (i.e. subdomains on our own shared hosting account) and for a proper HTTPS page display you need a specific SSL certificate for any domain over which you serve that page. As I said: poor man's CDN, so a fairly expensive wildcard SSL cert (to cover all our subdomains) is out of our non-profit league, as of yet.

  6. AITpro
    Member
    Plugin Author

    Posted 3 years ago #

    Or just install BulletProof Security and check the System Info page for PHP info safely and securely for all time. LOL

    Also at some point I will be the adding php5.ini file to the list of editable files so people can safely and securely edit their php.ini file from within the WordPress Dashboard. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic