WordPress SSL Setup and Tricks

WordPress SSL is required to encrypt the data (traffic) exchanged between your WordPress blog or website and its visitors, which could also be you logging in to your WordPress admin pages.

Therefore if you are thinking of running a shopping cart or some sort of online shop, or your visitors submit sensitive information via an online form, you should implement WordPress SSL to encrypt the communication between your customers and your WordPress.

We also recommend every WordPress administrators to implement WordPress SSL to encrypt the WordPress login session and avoid having WordPress usernames and passwords captured by malicious hackers, as seen in the Hacking the WordPress Login security tutorial.

WP White Security Tip: HTTPS (HTTP over SSL) consumes a lot of server resources. Only force SSL for the WordPress login, dashboard  pages (wp-admin) and other pages from where you request sensitive information from your visitors.

Setting Up WordPress SSL

In this WordPress SSL security tutorial we will explain how to manually:

If you would like to configure WordPress SSL automatically via a plugin, refer to the article WordPress SSL Setup with WordPress HTTPS (SSL) plugin.

Get an SSL Certificate for your Web Server (Step 1)

Before you can enable WordPress SSL you need to get an SSL web server certificate that is used to encrypt the web traffic.

WP White Security Tip: HTTPS is HTTP traffic over a Secure socket layer (SSL), in other words it is encrypted HTTP traffic.

If you have a VPS or you are using a shared hosting service, this procedure might vary from one hosting provider to the other. Therefore we recommend you to open a support ticket with your hosting provider to help you with the process.

If you have your own dedicated server you can follow steps 1 and 2 of the post Generate a Self Signed SSL Certificate for HTTPS on Apache to create a signing certificate request (CSR file).

Once the CSR file is generated, contact a certificate authority where you can submit your request so they can issue the certificate. Once your SSL certificate is issued, follow the procedure explained in section Configuring Apache Web Server to Run SSL (HTTPS).

SSL for WordPress Login and Dashboard

Force WordPress SSL for Login Only

To ensure that your WordPress usernames and passwords are encrypted when logging in to the WordPress admin pages, enable WordPress SSL for the login page by adding the following line to your wp-config.php file:

define('FORCE_SSL_LOGIN', true);

Note: When using this option only the WordPress login process will be encrypted.

Force WordPress SSL for Login and Dashboard (Admin Area)

To encrypt both the WordPress login process and the logged in session (i.e. both credentials and cookies are encrypted) enable WordPress SSL for both the login page and the dashboard browsing by adding the following line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Which Option Should I Use?

The most secure option is to force WordPress SSL for the WordPress login page and the WordPress dashboard / admin pages. Though if the connection is very slow when accessing the WordPress dashboard over an HTTPS connection, or you have low resources available on your server, you can opt to force SSL for the WordPress login only, which is the second best option.

WP White Security Tip: As an additional security measure you should bookmark the URL of your WordPress dashboard with the HTTPS protocol, e.g. https://www.mywpwebsite.com/wp-admin rather than being redirected automatically from HTTP to HTTPS by the web server.

Forcing SSL for a Specific WordPress Page or Post

Once SSL is configured on your web server, by default all of your WordPress pages are accessible over both an HTTP and HTTPS connection, for example http://www.wpwhitesecurity.com and https://www.wpwhitesecurity.com.

But by default, all visitors users will keep on accessing your website over a normal HTTP connection unless you redirect them. Therefore if you would like to automatically redirect users accessing a particular page, such as a payment form, to an HTTPS connection (encrypted HTTP connection), find the WordPress page ID and add the below script to your theme’s functions.php file after replacing the page ID (in the below script we used a page ID of 149):

function force_ssl()
{
    // Specify ID of page to be viewed on SSL connection
    if (is_page(149) && !is_ssl () )
    {
      header('HTTP/1.1 301 Moved Permanently');
      header("Location: https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
      exit();
    }
    // All other pages must not be https
    else if (!is_page(149) && is_ssl() )
    {
        header('Location: http://' . $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
        exit();
    }
}
add_action('template_redirect', 'force_ssl');

Note: The above script will automatically redirect requests to other pages to an HTTP connection (non SSL) using the else if condition.

If this condition is not used and visitors access another page over an HTTPS connection that has objects from a non secure link (i.e. objects over an HTTP connection), a browser security warning will pop up as seen in the below screenshot. Such security alerts might drive visitors away from your WordPress blog or website.

Browser Warning Alerting Visitors of Nonsecure Objects

Fixing Broken SSL Links in Theme Files

If a page is accessed over an HTTPS (WordPress SSL) connection and contains content from a non SSL connection (i.e. via a normal HTTP connection), the browser will issue a security warning stating that some of the content is insecure, as seen in the above screenshot.

Even though WordPress will automatically update most of these links for you, those which are hardcoded won’t be updated. To fix such this issue always use Protocol Relative Link in your files and content as shown in the below example:

Hardcoded link: http://www.wpwhitesecurity.com

Protocol Relative Link: //www.wpwhitesecurity.com

By not specifying the protocol in a relative link, the browser will automatically use the protocol requested by the user to retrieve such content.

Alternatively you can also use a WordPress plugin called SSL Insecure Content Fixer that will automatically fix all the broken SSL links on your WordPress.

Enable WordPress SSL & Improve Your WordPress Security

With this WordPress SSL security tutorial there is no reason why every WordPress administrator should not implement WordPress SSL within minutes.

So why risk having your WordPress credentials stolen and your WordPress hacked when there is such an easy solution? Enable WordPress SSL today on your blog or website to improve the security of your WordPress.

Comments

  1. Finally, I found your article.
    I already use SSL for my blog but the problem is iamge url always give error m essage on browser. So it is because the relative lurl for image.
    Great, I’ll fix it. :)

  2. Could you expand your article or comment about using a Wildcard SSL Cert if one is hosting a WPMU for multi-user? Is there anyway to just have a single domain SSL Cert and force all users into a single domain for administration or does it have to be a Wildcard SSL Cert?

    Thanks,
    Chris

    • Hi Chris,

      Good question. In case of multisite you need to have a Wildcard SSL certificate, since even if you force users to login through a central location, they would still be redirected to the actual domain to preview articles etc, hence the only way of doing it and ensure that all logged in sessions are encrypted is to use Wildcard SSL.

      While I trust the above answers your question, do not hesitate to get in touch should you have any further queries.

  3. Charles says:

    Suppose I want ‘all’ my pages of my WordPress site to go through SSL. What sort of configuration would that require?

    • Good question Charles. It is possible to do it manually but there are a lot of bits and pieces that need to be done manually and you have to update the htaccess, wp-config files etc. In this case it would be easier to use the WordPress SSL plugin. If you are interested in doing it manually, drop me a mail and I’ll send you the information required.

  4. Hi, i used this define(‘FORCE_SSL_ADMIN’, true); on wp-confug.php file, it works fine, but the login page doesnt appear as green bar. On all my other pages it comes https with green bar, but not on login page… it just comes as https without green bar..

    and one another thing;
    if i want to visit mydomain.com, at first time, its not forcing https, it just comes like http://mydomain.com, but when i click on a link on my site, it comes both green bar and https.

    can you please help me, how i do so that it foces to https at first time when i visit my site.

    thank you very much.

    • Hi Fawad,

      To redirect all HTTP to HTTPS connections, even those manually typing HTTP in the browser add this to your .htaccess file:

      RewriteEngine On
      RewriteCond %{HTTPS} off
      RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

      As regards the green bar that is a bit different, i.e. that depends a lot on your setup etc. If you would like us to help you with it, please drop us an email on support@wpwhitesecurity.com

      Looking forward to hearing from you.

Speak Your Mind

*

Is your WordPress Hacker Proof?

WP White Security specializes in WordPress security services such as malware removal, security hardening and security audits. For more information about our services, refer to our Security Services page.

Security Services Tel: +44 20 3588 0327