Support » Fixing WordPress » secure admin access on shared hosting

  • Resolved byoussin

    (@byoussin)


    I want to have SSL access to the admin part of my wordpress site, or at least to be able to login over SSL.
    I know how to force SSL admin/login in wp-config.php.
    I am considering getting shared hosting and using the server’s shared SSL certificate seems to be a reasonable option.
    It seems to me that for this I need to be able to go be able to access the admin area of my site at
    https://servername.com/~mydomain.com/wp-admin
    while accessing my public site at
    http://mydomain.com
    Can this be done?
    I understand that there is a plugin that does this, WordPress SSL, but it has not been updated for 2 years already.
    This 4-year old article
    http://blog.justinkorn.com/2010/03/wordpress-and-shared-ssl/
    suggests some simple code in wp-config.php but I do not know whether it would work with the current versions of WordPress and stuff.
    Here http://forum.inmotionhosting.com/viewtopic.php?f=34&t=37742 there are more complicated suggestions which are 3 years old.
    I am sure this is an issue that lots of people have been thinking about but I have not found anything more recent.
    Any help?

Viewing 15 replies - 1 through 15 (of 15 total)
  • Moderator James Huff

    (@macmanx)

    It’s not necessary to access via the server’s direct path, and depending on how the server is configured, it probably won’t work.

    If you use this plugin to setup HTTPS access, you can identify the server as the SSL host: https://wordpress.org/plugins/wordpress-https/

    When you access it, you’ll get a warning that the domain on the certificate does not match the domain you’re visiting, suggesting it might be forgery. As long as you recognize the domain on the certificate (your server’s domain), you’ll have nothing to worry about. Regardless of the warning, your connection will be encrypted.

    And, failing all of that, certificates are getting cheaper by the day. I got mine directly through my hosting provider’s control panel (they have a partnership with a certificate authority) for just $10/year.

    James, thanks for your reply.
    I shall try this.
    I agree that the certificate price is not an issue. However, the hosting provider I am going to sign up with, charges $24/yr for the dedicated IP + $25 for installing any certificate.

    Moderator James Huff

    (@macmanx)

    Ah, that’s also a fair price for a cert (I have seen them up to $100), but I forgot about needing to pay extra for a dedicated IP on shared. That’s a steep price. If they offer a VPS option, check that out. You’ll get your own dedicated slice of server with a dedicated IP (you won’t be sharing with anyone), and I’m willing to bet the price is close to whatever your shared price is plus the dedicated IP.

    $25 is not for the certificate but rather for the job of installing it as they would not let me do it myself.
    Sorry for not being clear.
    I know I can find cheap certificate on the net.
    The shared hosting is cheap so the VPS is more expensive than shared hosting + dedicated IP.

    Moderator James Huff

    (@macmanx)

    Sounds good to stick with that then, fingers crossed that the plugin works for you! 🙂

    Well, it works!
    Here are the exact directions:
    Install WordPress HTTPS (SSL) plugin.
    In the HTTPS settings (usually accessed from the sidebar) fill SSL Host field in the General Settings:
    your-shared-server-name.com/path-to-your-account
    (ask all these from your hosting provider).
    Press Save Changes.
    DO NOT fill any domain mapping as SSL Host value already filled is enough for redirection and adding domain mapping got me 404.
    Log out and go to https://your-shared-server-name.com/path-to-your-account/wp-admin
    If you get your login page, successful! Try going around admin area to see that it works. You should see your server name and path to your acct all the time in the browser address.
    At this point you have the possibility of secure login via the server address and your path, or insecure login by your domain name.
    If everything is fine, go again to HTTPS settings and check Force SSL administration. This will block insecure login.
    Done! (If locked out, go to Plugin FAQ for break-in directions.)
    Good luck!

    Moderator James Huff

    (@macmanx)

    Thanks for sharing your steps!

    Addition: this setup does not even cause SSL certificate mismatch complaint from the browser since there is no server mismatch: all admin part of my WP site is accessed via the hosting server and my path on it, and the server is the one listed on the certificate.
    🙂

    Moderator James Huff

    (@macmanx)

    That’s great, thanks again!

    I am trying to understand this plugin. I added an ssl to my site and I just want to offer secure checkout what do I need to do? I am using Woo’s First Data plugin http://www.woothemes.com/products/firstdata/ and Bank of America will be handling the credit card portion should I till be worried?

    If I set this up will this change the entire site seeing I didn’t add the “s” in the http link.

    Hope I am explaining this right.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Could you please start your own topic?

    How-To and Troubleshooting

    It really is the best way to get support for your problem.

    Bad news: this trick does not work with W3 Total Cache plugin as this plugin gets totally confused by this setting.
    (It works with WP Super Cache but the latter has less features than W3 Total Cache.)

    Moderator James Huff

    (@macmanx)

    I recommend reporting that over at https://wordpress.org/support/plugin/w3-total-cache they might have a solution, or at the very least they should probably fix that.

    This place you indicated – the support forum of W3 Total Cache – is unattended – as you can see there – so there is no point in posting there.
    The way to get to the plugin developers is by filing a bug in the Support page of the plugin settings.
    I have filed today another item this way with them but it was a clear bug.
    As for this one, I am not sure so I am hesitant filing this as a bug.

    Moderator James Huff

    (@macmanx)

    Well, they’re the ones who can fix it if you want to keep using W3TC, so you’l have to contact them somehow. 🙂

    There’s also https://www.w3-edge.com/contact/

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘secure admin access on shared hosting’ is closed to new replies.