Support » Installing WordPress » SSL enabled by default for login/admin; how to remove?

  • First time using WP, and I’ve simply followed the 5min install: unzipped to root directory, set up the DB, went through the “install” script, and when it said log-in I noticed that it was trying to post to https://mydomain/wp-login.php.

    I’ve been through everything and can’t work out how to disable https for login & the admin section.

Viewing 15 replies - 1 through 15 (of 16 total)
  • Moderator Samuel Wood (Otto)

    (@otto42) Admin

    I don’t see how that could happen unless you specifically turned it on.

    Look in the wp-config.php file. See if you see anything setting “FORCE_SSL” or similar to “true”. To turn it off, simply change it to false.

    There’s nothing in the wp-config file that’s not there by default. This is a completely clean install, downloaded directly from

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Well, then, that doesn’t make any sense. WordPress does not force SSL by default. But something somewhere is doing this. Your task is now to figure out what that is.

    We probably can’t help you much with this task, since we don’t have access to your site.

    You can easily replicate this yourself:

    # cd /var/www
    # curl | tar zx
    # mv wordpress mycompanyblog

    …then point your webserver to it, and go through the 5min install instructions. That’s all I did! 4 times I’ve done it now, wiping everything – even the server, since this is a completely fresh install on an Amazon EC2 server. Still no luck.

    Please note:
    – I’m NOT changing any variables/options/settings by hand; all done through the install script.
    – I’m NOT editing any database tables, rows, or data.
    – I’m NOT modifying any source code in the PHP files.

    I honestly can’t believe this; I could understand if I were messing with settings during the install, but I’m not. Download, unzip, point webserver at source, follow instructions… FAIL.

    I’ve even tried 2.7.1 – same deal: the form on /wp-login.php automatically wants to post via https. Same install method; download, unzip, point webserver at space, visit domain and go through the online setup instructions… gives me the password after completion, then the login form wants to post via https!

    It also seems that all links/resources want to be served by https. Nothing works as expected! Seriously, this needs sorting.

    Please note; I’m not using Apache. I’m using nginx. This shouldn’t matter as wp is just another PHP app, unless it checks/modifies the apache config automatically during the setup procedure. If it does, then its a naughty, naughty little application and should be scolded.

    otto42 is correct – wordpress does not do this by default – something else is up

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    It also seems that all links/resources want to be served by https. Nothing works as expected! Seriously, this needs sorting.

    See, now that can’t possibly be WordPress, because other resources like images and such are not served up by WordPress. They’re straight thru the webserver. So this is a product of your webserver configuration, somehow.

    Sorry, I failed to express myself correctly: the HTML generated has https:// links for everything. Archive, images, etc. Checking the http headers for theme images requested in the CSS shows PHP *redirects* to https. PHP wouldn’t even be part of the headers if nginx was redirecting.

    The odd thing is that this doesn’t happen on IIS. Just nginx. Here’s what’s going on:

    # cd /var/www
    # curl | tar zx
    # mv wordpress mycompanyblog
    # cat /etc/nginx/vhosts/mycompanyblog
    server {
    server_name mycompanyblog.tld;
    root /var/www/mycompanyblog;
    index index.php;
    location / {
    try_files $uri @wordpress;
    location @wordpress {
    rewrite ^ /index.php?q=$uri last;
    location ~ \.php($|/) {
    include conf/php-fcgi.conf;
    # service nginx restart

    Nothing crazy there, and I’ve hosted hundreds of sites with Nginx+PHP so I have some idea of what I’m doing.

    The links in the HTML source after going through the install look like this: https://mycompanyblog.tld/?m=200907

    I’m at a complete loss.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Did you type https into the two URL’s in the setup or in the Settings->General screen? It uses those settings to build any of the internal URLs.

    You probably have in your fastcgi_params the following line:
    fastcgi_param HTTPS on;

    Remove that line and things should work as expected.



    Stevan has a good point. If you didn’t set it to do this in WordPress, chances are that it’s a server level configuration that needs to be changed.

    This is happening to me too, and having the css and images in https while the page was loaded in http is very annoying. It breaks ajax and such. I NEVER specified https during installation. I can’t find any https in the database or config files. If I disable https on this vhost the problem still exists, but now the css and images can’t load! This is on an Apache2/PHP5/MySQL5 server. (I also installed to a vhost that did not have https and no problem.) Function is_ssl() returns true everytime the page is loaded through http or https.

    Solved – https html links added on a non-https vhost
    by correcting the logic in is_ssl()

    (Red Hat 5) Apache 2.2.x \w mod_php-5.2.11

    — lines 3040 – 3047 of ./wp-includes/functions.php

    function is_ssl() {
            if ( isset($_SERVER['HTTPS']) ) {
                    #if ( 'on' == strtolower($_SERVER['HTTPS']) )
                            return true;
                    #if ( '1' == $_SERVER['HTTPS'] )
                    #       return true;
            #} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
            #       return true;
            return false;

    Set to a non-empty value if the script was queried through the HTTPS protocol.

    Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

    — looks like they develop WP on IIS and have developed a working method for IIS ISAPI **only. In either case(Apache or IIS) the global is undefined unless we are accessed via an https://hostname

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘SSL enabled by default for login/admin; how to remove?’ is closed to new replies.