[Resolved] [Plugin: WordPress HTTPS] What is the purpose of the shared SSL option?
What is the purpose of the shared SSL option?
I’m using the extension on a WP Network, meaning that the main domain’s certificate is used and I get warnings when connecting to the mapped domains. Is that option trying to fix this?
I am trying to use your plugin with a shared SSL certificate on a WordPress website hosted by InMotion Hosting. Unfortunately, neither the login page nor the administrative pages are using HTTPS. Will the new version of your plugin provide this functionality?
By the way, I found a small mistake in the installation instructions. Step 1 says to “Upload wordpress-https.php to the /wp-content/plugins/ directory.” It should say to upload the “wordpress-https directory” (not just the PHP file) to the plugins directory.
Thanks for all your hard work on this plugin! I hope it can do what I need so that my clients and I won’t have to pay more $$$ for dedicated SSL certificates.
All the best,
P.S. I tested the plugin using three different browsers: Chrome, Firefox, and Internet Explorer. None of them used HTTPS for login/admin pages.
Have you tried setting the global variable FORCE_SSL_ADMIN to true in the wp-config.php file? (How to) When you do that and try to go to your admin panel, does it try to redirect to just https://yourdomain.com or your Shared SSL URL? Ideally, I want to find that redirect and change it if it doesn’t redirect to the Shared SSL URL.
I actually don’t have a Shared SSL to test this functionality out, it’s all kind of guesswork from user feedback, haha. One user did let me use their server for a while, which was helpful. 🙂
Thanks for your speedy reply! I put these two lines in my wp-config.php file:
When I go to login, it still uses plain old HTTP. When I access my admin panel, it again uses plain old HTTP. It never tries to redirect to anything. In fact, none of the SSL/HTTPS plugins I’ve tried seem to work with shared SSL.
I checked the Shared SSL box in your plugin and entered the secure URL. For InMotion Hosting, it has the form:
where NN is the server number and USERNAME identifies the account.
Since I posted my question, I’ve done a lot of shopping around for SSL certificates. Comodo sells SSL certificates with 1024-bit public keys and 256-bit session keys for only $10/year. A cryptography expert I know confirms that 1024-bit RSA can still be considered secure for a few more years, despite the recent hype to the contrary. (Tampering with the power supply to induce and exploit hardware faults can hardly be considered a realistic scenario in any good commercial data center.)
At $10/year, anyone can afford to get a dedicated SSL certificate. A secure URL based on the domain name looks more professional, and that inspires confidence in customers. I think it’s well worth the money!
P.S. You can purchase a PositiveSSL certificate from Comodo here:
P.P.S. You can try a PositiveSSL certificate for FREE for 30 days here:
I agree about SSL certificates. I don’t think $10 a year is much to ask, but this feature is requested, so I must give the people what they want. 🙂
I’ll need more time to look into how to best accomplish the admin panel redirect to a Shared SSL. I could do it quick and dirty, but I want to do it the right way. I’ll update the thread when I know more.
In version 1.9, the ability to login to the admin panel via Shared SSL has been added.
Thanks for the new feature! That should help a lot of people, especially those who just want a cheap, easy, secure way to maintain their WP sites.
Sorry if this is answered somewhere else, or if I’m just being a numbskull, but should it be possible with the Shared SSL setting enabled to redirect a single page within your site? I know that I have my base URL set to my non-secure, paid domain name in several places (eg, in WP settings and elsewhere in the DB), and therefore I don’t want to simply change all of my settings to my host’s secure URL, but I can only navigate to my site’s homepage and wp-admin using the https URL – none of the subpages work (I get 404s). The plugin does seem to work properly, though, by just redirecting at the page level.
Some Shared SSL hosts have issues with custom permalink structures. Try setting your permalinks to the default and see if that fixes it.
Thanks. I’ll have to determine whether that will mess up anything else for me. I’m beginning to think I should just get my client to purchase a private ssl cert, which I hope would avoid those problems.
I just reread some of this thread and wanted to add a couple new thoughts:
Comodo’s Positive SSL certificates now use 2048-bit RSA public keys, which are much more secure than 1024-bit keys.
I noticed a very important point in the WordPress documentation about where to put these lines in the wp-config.php file:
define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
The WordPress codex says (with boldfacing added by me):
The constant FORCE_SSL_LOGIN can be set to true to force all logins to happen over SSL. This (and all other such definitions) must be placed before
/* That's all, stop editing! Happy blogging. */ ... require_once(ABSPATH . 'wp-settings.php');
in the file, otherwise they will not take effect.
I think this point is worth emphasizing since it’s not obvious from the comments included in the wp-config.php file.
I’m pretty sure that’s why it says “/* That’s all, stop editing! Happy blogging. */”. Lol.
I’s a matter of clarity. Yes, the meaning of the comment in the wp-config.php file is obvious — once you’ve read the WordPress codex. If you never saw that section of the codex, you are likely to overlook the precise meaning of that cryptic comment!
If the comment were as clear as the codex, I wouldn’t have made a big deal over this. It is a big deal, and it needs to be emphasized in order to prevent unnecessary problems in getting SSL to work with WordPress. Taking just a few minutes to include clear instructions now could save you hours of technical support time later.
This reminds me of a saying I learned from my father: Clear communication isn’t about expressing yourself so that you can be understood — it’s about expressing yourself so that you cannot possibly be misunderstood.
So there! 🙂 Now who’s LOLing out loud?!?! 🙂 🙂
- The topic ‘[Resolved] [Plugin: WordPress HTTPS] What is the purpose of the shared SSL option?’ is closed to new replies.