Created: 20 March 2006
WordPress does not have native support for environments where HTTP or HTTPS can be used to access it. The configuration provides only one configurable URL. The presented solution is a more or less simple approach to make WordPress decide which possible URL to use by dynamically altering the
home value. The secure URL can be completely different from the regular one.
Adding some code
To change WordPress' behavior, open
wp_config.php in your favorite editor and locate the line
require_once(ABSPATH.'wp-settings.php');. Add the following code beneath it:
wp_cache_set("siteurl_secure", "https://www.example.com/path-for-wordpress-on-secure-server/", "options");
wp_cache_set("home", ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["SERVER_NAME"]."/your-blog-path", "options");
wp_cache_set("siteurl", get_settings("home")."/your-web-path-for-wordpress", "options");
Note: the line for "siteurl" implies, that you have installed WordPress within another path below "your-blog-path" and do rewriting with mod_rewrite. If you do not and both paths are the same, just remove '
."/your-web-path-for-wordpress"' (don't forget the dot). Should you need completely different URLs for http and https you can remove the autodetection and enter the secure URL instead of the "https://"-part in the second line and the http URL instead of "http://" respectively. This could look like the following line:
wp_cache_set("home", $_SERVER["HTTPS"]?"https://example.com/cust1/wpress/":"http://web.example.com/blog/", "options");
Those few pieces of code populate the settings cache with your values - depending on whether you enter the site with http or https. The Hostname will be set automatically.
Enforcing secure logins
Now, to force logins with SSL, open wp-login.php and search for "
case 'login':". A few lines down in the file you'll find the HTML-head. Right before the add the line:
You should probably NOT replace it in
Once you entered the SSL-site, you will continue to browse it via SSL and vice versa.
Annoyance: Alternating URLs in notification E-Mails
If you are worried about the fact, that E-Mails are sent out with the URL type (secure/insecure) the visitor used, edit
wp-includes/pluggable-functions.php and search for the functions
wp_new_user_notification. There you have to replace
I've modified my WordPress just recently, but I did not see any problems until now. But beware: the cookies set on the secure site (if any) will be transmitted on the unencrypted connection unless the hostname or URL for HTTPS is different from the one used for HTTP (which is the case in my setup).
If those cookies worry you, there is another, solution available from Juergen Kreileder which seems to require mod_proxy.