https on administrator's interface

Resolved Ray
(@rwanwork)

9 years, 8 months ago

Hi all,

In order to satisfy my organisation’s security requirements, they have asked me to modify our WordPress instance so that the administrator’s login page is via https. I was successful in making the entire site https, but some pages that have “http” hard-coded broke (not my fault…I didn’t write those pages…) but, more importantly, the site became much slower.

It seems that our administrators would be satisfied if just the administrator’s interface was (i.e., where passwords are sent) are within https. The public pages can be sent via http.

I looked around and these instructions here clearly explain what I should do. However, it says under “Further Information”, that the steps below that are only for older versions of WordPress. Thus, all I need to do is:

define('FORCE_SSL_ADMIN', true);

I did that, but it isn’t working. That is, the public pages use http, but when I go to the administrator’s interface, it is still http.

I *guess* that there is something I need to do with my web server’s (Apache) configuration. I have one conf file for port 80 and one for port 443. However, neither this page nor others I have looked at which give similar advice explain what I should do.

Am I looking at the wrong place? Is there something wrong with my web server’s configuration files? Or is there something wrong elsewhere — perhaps within WordPress’ configuration?

Any help would be appreciated! I’m not sure which part of the system I should be focussing on…

Thank you!

Ray

Viewing 4 replies - 1 through 4 (of 4 total)

Justin Greer
(@justingreerbbi)

9 years, 8 months ago

Hi Ray,

https://codex.wordpress.org/Administration_Over_SSL has some pretty good information regarding securing the admin of WordPress. You may need to continue to do some configuration on your server but the .htaccess trick should do the job. You may have to use a web.config if you are on windows.

HTTPS is a bit slower but if you are noticing a huge change in speed, point to the server itself. Try following some of the advice at https://codex.wordpress.org/WordPress_Optimization.

Hope this helps

Thread Starter Ray
(@rwanwork)

9 years, 8 months ago

Hi Justin,

Thank you for your message!

Actually, I have looked at that web page already. As I said, I’m unclear about the part that says,

Further Information

The rest of this article serves as information in case you’re using an older version of WordPress (which ideally you shouldn’t!)

That sort of implies I should ignore everything below that point if I am using a recent version of WordPress. Including fiddling with the .htaccess file. Is this part of the instructions incorrect?

Should I continue with the WordPress instructions or should I be looking at the web server’s configuration?

Thank you for your help!

Ray

Justin Greer
(@justingreerbbi)

9 years, 8 months ago

There is nothing wrong with forcing HTTPS using the htaccess file. WP using the FORCE_SSL_ADMIN constant but if that is not working, .htaccess will force HTTPS it to work in the wp-admin area.

Unless you have a rewrite rule somewhere in a vhost file, updating the .htaccess file to force SSL is just another way to do it. You can also install a plugin that will force HTTPS but that is up to you.

Thread Starter Ray
(@rwanwork)

9 years, 8 months ago

Hi Justin,

AH!!! I see. When I read those instructions, I thought it should be interpreted as, “If you have a newer version of WordPress, use FORCE_SSL_ADMIN. Don’t bother looking below this line.” So, I thought my only option was to keep trying to get FORCE_SSL_ADMIN working (and it isn’t for me…I don’t know why).

I’ll try a plugin option or .htaccess, then and give up on FORCE_SSL_ADMIN.

Thanks a lot for clarifying the instructions on that web page!

Ray

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘https on administrator's interface’ is closed to new replies.

https on administrator's interface

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics