WordPress does not have native support for environments where HTTP or HTTPS can be used to access it. The configuration provides only one configurable URL. The presented solution is a more or less simple approach to make WordPress decide which possible URL to use by dynamically altering the siteurl and home value. The secure URL can be completely different from the regular one.

Adding some code

To change WordPress' behavior, open wp_config.php in your favorite editor and locate the line require_once(ABSPATH.'wp-settings.php');. Add the following code beneath it:

wp_cache_set("siteurl_secure", "", "options");
wp_cache_set("home", ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["SERVER_NAME"]."/your-blog-path", "options");
wp_cache_set("siteurl", get_settings("home")."/your-web-path-for-wordpress", "options");

Note: the line for "siteurl" implies, that you have installed WordPress within another path below "your-blog-path" and do rewriting with mod_rewrite. If you do not and both paths are the same, just remove '."/your-web-path-for-wordpress"' (don't forget the dot). Should you need completely different URLs for http and https you can remove the autodetection and enter the secure URL instead of the "https://"-part in the second line and the http URL instead of "http://" respectively. This could look like the following line:

wp_cache_set("home", $_SERVER["HTTPS"]?"":"", "options");

Those few pieces of code populate the settings cache with your values - depending on whether you enter the site with http or https. The Hostname will be set automatically.

Enforcing secure logins

Now, to force logins with SSL, open wp-login.php and search for "case 'login':". A few lines down in the file you'll find the HTML-head. Right before the add the line: . You should probably NOT replace it in check_admin_referer.

Once you entered the SSL-site, you will continue to browse it via SSL and vice versa.

Annoyance: Alternating URLs in notification E-Mails

If you are worried about the fact, that E-Mails are sent out with the URL type (secure/insecure) the visitor used, edit wp-includes/pluggable-functions.php and search for the functions wp_notify_moderator, wp_notify_postauthor and/or wp_new_user_notification. There you have to replace get_settings('siteurl') with get_settings('siteurl_secure').

Known Problems

I've modified my WordPress just recently, but I did not see any problems until now. But beware: the cookies set on the secure site (if any) will be transmitted on the unencrypted connection unless the hostname or URL for HTTPS is different from the one used for HTTP (which is the case in my setup).

If those cookies worry you, there is another, solution available from Jürgen Kreileder which seems to require mod_proxy.