Support » Plugin: Theme My Login » Force SSL on login pages based on wp-config

  • Firefox and other browsers are finally starting to take login security seriously. There’s a notice posted that a page is Not secure if it contains a password field but was loaded over HTTP. Seeing that warning makes users feel like a site isn’t properly managed, and deservedly so.

    The official WordPress way is to use FORCE_SSL_ADMIN:

    The constant FORCE_SSL_ADMIN can be set to true in the wp-config.php file to force all logins and all admin sessions to happen over SSL.

    We use define('FORCE_SSL_ADMIN', true); in wp-config. This makes all logins be served only over HTTPS – except the Theme My Login ones.

    History: There used to be a separate FORCE_SSL_LOGIN. Don’t remember for sure but TML might have adhered to that some years ago. However, its functionality was merged into FORCE_SSL_ADMIN with the rationale “providing SSL login without SSL admin areas is a false sense of security” in #10267 in 2014 and the function was deprecated in #34011 in 2015. Theme My Login deviates from this behavior by providing login pages that don’t force themselves to be HTTPS even when FORCE_SSL_ADMIN is set to true.

    Could the login, registration and password reset pages be made to redirect from HTTP to HTTPS when FORCE_SSL_ADMIN is true?

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Force SSL on login pages based on wp-config’ is closed to new replies.