A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2!
The situation has not changed much since WordPress 1.5: WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP and I still do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:
All communication involving passwords or authentication cookies should be done over HTTPS connections.
wp-login.php and the
wp-admin directory should only be accessible over HTTPS.
Normal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.
- Add an HTTPS virtual host that forwards requests to the HTTP virtual host
- Modify WordPress to send secure authentication cookies, so cookies never get sent over insecure connections accidentally
- Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password. If someone manages to get your password, he still can not login because he does not have a valid certificate.
Note: This documentation assumes a Debian sarge installation with Apache 2. Some things, in particular Apache module related ones, will be different on other systems.
The server used throughout the instructions is example.org/126.96.36.199. The server’s
DocumentRoot is /blog and WordPress resides in /blog/wp. The value of WordPress’
home option is ‘http://example.org’ and the value of its
site_url option is ‘http://example.org/wp’.
- Prepare the SSL certificates:
- Make WordPress SSL-ready:
Apply this patch to the WordPress code. It makes the following changes:
- Use secure authentication cookies in
check_admin_referer() work with HTTPS URLs
- Use HTTPS URLs for notification mails
- Use HTTPS URLS for redirects to
- Only allow XML-RPC logins from the local host (ie. the HTTPS proxy)
- Add the Mark-as-Spam feature from trunk
The patch is against svn version 3825 of WordPress (ie. WordPress 2.0.3), when you apply it to a newer version, you will likely get some harmless ‘
Hunk succeeded’ message. If you are getting ‘
Hunk FAILED’ message, just send me note and I’ll update the patch.
- Enable the necessary Apache modules:
- Install mod_proxy_html. It will be used to replace absolute ‘http://example.org’ HTTP URLs in the WordPress output with ‘https://example.org’ HTTPS URLs:
$ aptitude install libapache2-mod-proxy-html
The module gets enabled automatically after installation.
- Enable mod_proxy and mod_ssl
$ a2enmod proxy
$ a2enmod ssl
Debian provides sane default configurations for both modules. You might want to take a look at the configuration files (
I have changed
ssl.conf in order to just allow TLS v1 and SSL v3 ciphers which provide strong encryption and authentication (see ciphers(1)).
- If you are compressing WordPress output (that is if you enabled the ‘WordPress should compress articles (gzip) if browsers ask for them’ option) then also enable mod_headers:
$ a2enmod headers
- Configure Apache to listen on the HTTPS port
$ cat > /etc/apache2/conf.d/ssl.conf << EOF
- Modify the blog virtual host to limit access to
wp-admin to the local host. Also completely deny access to files which should never be accessed directly. Here is an example:
- Now setup the HTTPS virtual server:
If you are compressing WordPress output you have to enable the
- Enable the site and restart Apache
$ a2ensite 20-blog-ssl
$ /etc/init.d/apache2 restart
- Remove the old WP cookies from your browser
- Test the new setup!
February 1st, 2006: wp2-ssl.patch updated for WordPress 2.0.1
March 11st, 2006: WordPress 2.0.2 has been released, fixing some security issues. The HTTPS patch still applies fine to that version.
March 19th, 2006: Updated wp2-ssl.patch. Changes: Fix bug in list-manipulation.php, use HTTPS for ‘Login’ and ‘Register’ links, backport ‘Mark-as-Spam’ feature from trunk
May 1st, 2006: WordPress 2.0.3 has been released. Here is the updated wp2-ssl.patch.
July 29th, 2006: WordPress 2.0.4 has been released, fixing some security issues. Here is an updated version of the wp2-ssl.patch.
January 12st, 2007: wp2-ssl.patch updated for 2.0.6 and 2.0.7-RC1
January 15st, 2007: WordPress 2.0.7 has been released. The patch still applies fine to that version.