Using WordPress with SSL

March 20. 2006 at 12:08
Posted by admin in Computer, Web
Comments (4)
Trackbacks (0)
WordPress does not have native support for environments where HTTP or HTTPS can be used to access it. The configuration provides only one configurable URL. The presented solution is a more or less simple approach to make WordPress decide which possible URL to use by dynamically altering the siteurl and home value. The secure URL can be completely different from the regular one.

Adding some code


To change WordPress' behavior, open wp_config.php in your favorite editor and locate the line require_once(ABSPATH.'wp-settings.php');. Add the following code beneath it: 
wp_cache_set("siteurl_secure", "https://www.example.com/path-for-wordpress-on-secure-server/", "options");

wp_cache_set("home", ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["SERVER_NAME"]."/your-blog-path", "options");

wp_cache_set("siteurl", get_settings("home")."/your-web-path-for-wordpress", "options");


Note: the line for "siteurl" implies, that you have installed WordPress within another path below "your-blog-path" and do rewriting with mod_rewrite. If you do not and both paths are the same, just remove '."/your-web-path-for-wordpress"' (don't forget the dot). Should you need completely different URLs for http and https you can remove the autodetection and enter the secure URL instead of the "https://"-part in the second line and the http URL instead of "http://" respectively. This could look like the following line:
wp_cache_set("home", $_SERVER["HTTPS"]?"https://example.com/cust1/wpress/":"http://web.example.com/blog/", "options");



Those few pieces of code populate the settings cache with your values - depending on whether you enter the site with http or https. The Hostname will be set automatically.

Enforcing secure logins


Now, to force logins with SSL, open wp-login.php and search for "case 'login':". A few lines down in the file you'll find the HTML-head. Right before the </head> add the line:
<base href="<?=get_settings('siteurl_secure') ?>">.
You should probably NOT replace it in check_admin_referer.

Once you entered the SSL-site, you will continue to browse it via SSL and vice versa.

Annoyance: Alternating URLs in notification E-Mails


If you are worried about the fact, that E-Mails are sent out with the URL type (secure/insecure) the visitor used, edit wp-includes/pluggable-functions.php and search for the functions wp_notify_moderator, wp_notify_postauthor and/or wp_new_user_notification. There you have to replace get_settings('siteurl') with get_settings('siteurl_secure').

Known Problems


I've modified my WordPress just recently, but I did not see any problems until now. But beware: the cookies set on the secure site (if any) will be transmitted on the unencrypted connection unless the hostname or URL for HTTPS is different from the one used for HTTP (which is the case in my setup).

If those cookies worry you, there is another, solution available from Juergen Kreileder which seems to require mod_proxy.

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Hey there. Great idea. I found you thru the Juergen page that you linked to. I don't need anything as robust as his.

I'm testing now and have the following setup:

http://www.example.com/blog/
and
https://secure.example.com/~user/blog/

I use mod rewrite for the filenames so you get the dates in the URLs (e.g. /blog/2006/09/26/entry-slug/)

I updated config.php with the following:

wp_cache_set("siteurl_secure", "https://secure.example.com/~user/blog/", "options");

wp_cache_set("home", $_SERVER["HTTPS"]?"https://secure.example.com/~user/blog/":"http://www.example.com/blog/", "options");

wp_cache_set("siteurl", get_settings("home"), "options");

The home page of the blog loads fine, in the secure domain, but when I try to browse to other pages it returns a 404 saying it can't find "/blog/index.php". This is odd since it's the page that was just serverd....

Any ideas? (I'm going to end up setting up so the https and http have the same directory structure which should eliminate this, but figured you might want to know about this.)
#1 Alan on 2006-09-28 06:30 (Reply)
I've setup so the only thing that is differnt is the domain and none of the file paths and everything works like a champ. Great hack.

One thing I did a little different was with the login. I setup so the login page automatically redirects itself to the https version if it wasn't called instead os ufing the base href tag.

All I did for this was drop this

if( !$_SERVER['HTTPS']) {
header("Location: " . get_settings('siteurl_secure') . "wp-login.php");
}

under the:

#2 Alan (Homepage) on 2006-09-28 07:10 (Reply)
I think there is a little issue: Wordpress Address and Weblog Address in Options both appear with the HTTPS url.
But anyway, this hack works perfectly!
#3 Davd Lopez eSpencer (Homepage) on 2006-11-27 17:20 (Reply)
There's another soultion, the secure-admin plugin. However the was a bug in the code which I went about fixing:

http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working

Haris
#4 Haris (Homepage) on 2007-01-12 10:50 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

BBCode format allowed