WordPress offers ways to enforce SSL on the login and backend.
http://codex.wordpress.org/Administration_Over_SSL
However, I've run into problems when trying to secure just the login, not the whole backend. That is:
define('FORCE_SSL_ADMIN', false);
define('FORCE_SSL_LOGIN', true);First, when using wp_loginout(), the link to the login page is HTTP, not HTTPS. That is, it links to: http://somesite.com/wp-login.php. The actual form on that page has a secure "action" parameter. So, the data is submitted securely. But, from the user's perspective, the login page is not secure, since wp-login.php is loaded via http and not https.
Second, if you try to log in on wp-login.php and fail (incorrect username or password), the link at the top "Return to site..." links to HTTPS. I think it's reasonable to expect that link to go to HTTP.
Is this working as designed?
If you run with
define('FORCE_SSL_ADMIN', true);
these are not issues. That is, it seems to work as expected.
Perhaps the problem is in wp-login.php. There is code in there to redirect from HTTP to HTTPS only if FORCE_SSL_ADMIN is true.
// Redirect to https login if forced to use SSL
if ( force_ssl_admin() && !is_ssl() ) {
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
exit();
} else {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit();
}
}
