Introducing YippieMove '09. Easy email transfers. Now open for all destinations.

It’s a good secure practice to force SSL on the the Admin back-end and the login-page in WordPress. I’m hardly the first one to point this out. There’s even an entire page over at WordPress’ website dedicated to this (Administration over SSL).

I’ve spent the last few days setting up WordPress as a CMS and webshop (with wp-e-commerce) for a company. While there are no credit cards involved in the webshop, I still wanted to secure the login and admin page. However, since the website is hosted at Dreamhost, I was limited to the .htaccess file. Moreover, since the .htaccess-file is the same for both SSL mode and non-SSL mode, I needed to use some kind of condition to avoid creating an infinite loop.

Enough rambling. The code snippets over at ‘Administration over SSL’ didn’t work, so I had to write one myself. Here it is:

RewriteCond %{HTTPS} !=on
RewriteRule ^(wp-admin.*|wp-login.*) https://www.yourdomain.com/$1
RewriteCond %{HTTPS} =on
RewriteRule !^(wp-admin.*|wp-login.*) http://www.yourdomain.com/$1

Also, please note that this snippet must be after WP’s own redirection snippet, otherwise it won’t work. The entire .htaccess file looks as follow:


RewriteEngine On

## WordPress' SEO permlinks
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

## Beefing up the security
RewriteCond %{HTTPS} !=on
RewriteRule ^(wp-admin.*|wp-login.*) https://www.yourdomain.com/$1
RewriteCond %{HTTPS} =on
RewriteRule !^(wp-admin.*|wp-login.*) http://www.yourdomain.com/$1

Update: This will actually not work very well as images for the back-end are not stored in any of the SSL folders. Hence the the server tries to serve the images without SSL while you are in SSL mode, which does not work very well.

Author: Tags: , ,

Comments are closed.


© 2006-2009 WireLoad, LLC.
Logo photo by William Picard. Theme based on BlueMod © 2005 - 2009 FrederikM.de, based on blueblog_DE by Oliver Wunder.
Sitemap