Enable SSL Protection of the Admin Area in WordPress

Once SSL is enabled, the next step is to protect the admin area with SSL.

The simplest approach appears to be to modify wp-config.php:

define('FORCE_SSL_ADMIN', true);

This approach, however, does not work well with blog networks.  Specifically, when you try to login from sub-sites with domain mapping, it does a double login:

  1. First to https://<mapped-domain>/wp-login.php, then re-auth at
  2. https://<top-site>/<sub-site>/wp-login.php

From user perspective, this is somewhat painful.

To solve the problem – use the Admin SSL plugin.  It was developed before WordPress-MU was merged into WordPress, but it still works:

  1. Install the plugin via Plugin page, but do not activate
  2. Copy the directory admin-ssl-secure-admin from wp-content/plugins to wp-content/mu-plugins
  3. Copy admin-ssl.php from inside admin-ssl-secure-admin to wp-content/mu-plugins
  4. Go to Administration -> Super Admin -> Admin SSL
  5. Enable “Secure My Site with SSL”
  6. If you want to protect the whole admin area under SSL, put wp-admin/ into the URL List textarea
  7. Save the options

With this plugin – make sure you comment out the define(‘FORCE_SSL_ADMIN’, true) line in your wp-config.php.  The plugin now only does a single login, but it points the login link at https://<top-site>/<sub-site>/wp-login.php, instead of the more desirable https://<mapped-domain>/wp-login.php, so more improvements can still be done.

Leave a reply

Your email address will not be published. Required fields are marked *