January 22nd, 2006: There’s an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL
As one can guess from the look of this site, I’m using WordPress as my blog engine. At this time WordPress does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP. This is a bit unfortunate. I do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:
All communication involving passwords or authentication cookies should be done over HTTPS connections.
wp-login.php and the
wp-admin directory should only be accessible over HTTPS.
Normal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.
- Add an HTTPS virtual host that forwards requests to the HTTP virtual host
- Modify WordPress to send secure authentication cookies, so cookies never get sent over insecure connections accidentally
- Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password. If someone manages to get your password, he still can not login because he does not have a valid certificate.
Note: This documentation assumes a Debian sarge installation with Apache 2. Some things, in particular Apache module related ones, will be different on other systems.
The server used throughout the instructions is example.org/220.127.116.11. The server’s
DocumentRoot is /blog and WordPress resides in /blog/wp. The value of WordPress’
home option is ‘http://example.org’ and the value of its
site_url option is ‘http://example.org/wp’.