{"id":28,"date":"2005-05-18T01:11:24","date_gmt":"2005-05-17T23:11:24","guid":{"rendered":"http:\/\/blog.blackdown.de\/2005\/05\/18\/securing-wordpress-admin-access-with-ssl\/"},"modified":"2016-10-29T03:51:02","modified_gmt":"2016-10-29T01:51:02","slug":"securing-wordpress-admin-access-with-ssl","status":"publish","type":"post","link":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/","title":{"rendered":"Securing WordPress Admin Access With SSL"},"content":{"rendered":"<p><em><strong>January 22nd, 2006:<\/strong> There&#8217;s an updated version of this guide for WordPress 2 now: <a href=\"\/2006\/01\/22\/securing-wordpress-2-admin-access-with-ssl\/\">Securing WordPress 2 Admin Access With SSL<\/a><\/em><\/p>\n<p>As one can guess from the look of this site, I&#8217;m using <a href=\"http:\/\/wordpress.org\/\" rel=\"tag\">WordPress<\/a> as my blog engine. At this time WordPress does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP. This is a bit unfortunate. I do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:<\/p>\n<h3>The Goal<\/h3>\n<p>All communication involving passwords or authentication cookies should be done over HTTPS connections. <code>wp-login.php<\/code> and the <code>wp-admin<\/code> directory should only be accessible over HTTPS.<br \/>\nNormal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.<\/p>\n<h3>The Plan<\/h3>\n<ul>\n<li>Add an HTTPS virtual host that forwards requests to the HTTP virtual host<\/li>\n<li>Modify WordPress to send <em>secure<\/em> authentication cookies, so cookies never get sent over insecure connections accidentally<\/li>\n<li>Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password.  If someone manages to get your password, he still can not login because he does not have a valid certificate.<\/li>\n<\/ul>\n<h3>The Implementation<\/h3>\n<p>Note: This documentation assumes a <a href=\"http:\/\/www.debian.org\/\">Debian<\/a> sarge installation with <a href=\"http:\/\/httpd.apache.org\/\" rel=\"tag\">Apache<\/a> 2. Some things, in particular Apache module related ones, will be different on other systems.<br \/>\nThe server used throughout the instructions is example.org\/192.0.34.166. The server&#8217;s <code>DocumentRoot<\/code> is \/blog and WordPress resides in \/blog\/wp. The value of WordPress&#8217; <code>home<\/code> option is &#8216;http:\/\/example.org&#8217; and the value of its <code>site_url<\/code> option is &#8216;http:\/\/example.org\/wp&#8217;.<\/p>\n<ul>\n<li>Prepare the SSL certificates:\n<ul>\n<li>Generate your own certificate authority (CA) if you don&#8217;t have one already (I&#8217;m using the makefile from <a href=\"http:\/\/sial.org\/howto\/openssl\/ca\/\">OpenSSL Certificate Authority Setup<\/a> for managing mine) and import it into your browser.<\/li>\n<li>Generate a certificate for the SSL server and certify it with your private CA.<\/li>\n<li>Generate a certificate for your browser and certify it with your private CA. Most browsers expect a <abbr title=\"Public-Key Cryptography Standard\">PKCS<\/abbr>#12 file, so generate one with\n<pre>$ openssl pkcs12 -export -clcerts &#92;\r\n    -in blogclient.cert &#92;\r\n    -inkey blogclient.key &#92;\r\n    -out blogclient.p12<\/pre>\n<p> Then import <code>blogclient.p12<\/code> into your browser.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>Make WordPress SSL-ready:<br \/>\nApply this <a href=\"\/static\/wp\/wp-ssl.patch\">patch<\/a> to the WordPress code. It makes the following changes:<\/p>\n<ul>\n<li>Use <em>secure<\/em> authentication cookies in <code>wp_setcookie()<\/code><\/li>\n<li>Make <code>check_admin_referer()<\/code> working with HTTPS URLs<\/li>\n<li>Disable login over XML-RPC<\/li>\n<\/ul>\n<\/li>\n<li>Enable the necessary Apache modules:\n<ul>\n<li>Install <a href=\"http:\/\/apache.webthing.com\/mod_proxy_html\/\">mod_proxy_html<\/a>.  It will be used to replace absolute &#8216;http:\/\/example.org&#8217; HTTP URLs in the WordPress output with &#8216;https:\/\/example.org&#8217; HTTPS URLs:\n<pre>$ aptitude install libapache2-mod-proxy-html<\/pre>\n<p>The module gets enabled automatically after installation.<\/p>\n<\/li>\n<li>Enable mod_proxy and mod_ssl\n<pre>$ a2enmod proxy\r\n$ a2enmod ssl<\/pre>\n<p>Debian provides sane default configurations for both modules. You might want to take a look at the configuration files (<code>ssl.conf<\/code> and <code>proxy.conf<\/code>) nevertheless.<\/p>\n<\/li>\n<li>If you are compressing WordPress output (that is if you enabled the <em>&#8216;WordPress should compress articles (gzip) if browsers ask for them&#8217;<\/em> option) then also enable mod_headers:\n<pre>$ a2enmod headers<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Configure Apache to listen on the HTTPS port\n<pre>$ cat &gt; \/etc\/apache2\/conf.d\/ssl.conf &lt;&lt; EOF\r\n&lt;IfModule mod_ssl.c&gt;\r\n\tListen 443\r\n&lt;\/IfModule&gt;\r\nEOF<\/pre>\n<\/li>\n<li>Modify the blog virtual host to limit access to <code>wp-login.php<\/code> and <code>wp-admin<\/code> to the local host. Also completely deny access to files which should never be accessed directly. Here is an example: <a href=\"\/static\/wp\/10-example.org\"><code>10-example.org<\/code><\/a><\/li>\n<li>Now setup the HTTPS virtual server: <a href=\"\/static\/wp\/20-example.org-ssl\"><code>20-example.org-ssl<\/code><\/a><br \/>\nIf you are compressing WordPress output you have to enable the <code>RequestHeader<\/code> line.\n<\/li>\n<li>Enable the site and restart Apache\n<pre>$ a2ensite 20-blog-ssl\r\n$ \/etc\/init.d\/apache2 restart<\/pre>\n<\/li>\n<li>Remove the old WP cookies from your browser<\/li>\n<li>Test the new setup!<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>January 22nd, 2006: There&#8217;s an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the look of this site, I&#8217;m using WordPress as my blog engine. At this time WordPress does not support HTTPS access to the admin area when the rest of<br \/>[&rarr; <a href=\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/\" class=\"more-link\">Read the rest of this entry<\/a>]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[6,3,2,8,20],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v18.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"January 22nd, 2006: There&#039;s an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing WordPress Admin Access With SSL \u2014 J\u00fcrgen Kreileder\" \/>\n<meta property=\"og:description\" content=\"January 22nd, 2006: There&#039;s an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/\" \/>\n<meta property=\"og:site_name\" content=\"J\u00fcrgen Kreileder\" \/>\n<meta property=\"article:published_time\" content=\"2005-05-17T23:11:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-10-29T01:51:02+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"J\u00fcrgen Kreileder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blackdown.de\/#website\",\"url\":\"https:\/\/blackdown.de\/\",\"name\":\"J\u00fcrgen Kreileder\",\"description\":\"Software Engineer and Consultant\",\"publisher\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blackdown.de\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage\",\"url\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/\",\"name\":\"Securing WordPress Admin Access With SSL \u2014 J\u00fcrgen Kreileder\",\"isPartOf\":{\"@id\":\"https:\/\/blackdown.de\/#website\"},\"datePublished\":\"2005-05-17T23:11:24+00:00\",\"dateModified\":\"2016-10-29T01:51:02+00:00\",\"description\":\"January 22nd, 2006: There's an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the\",\"breadcrumb\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Securing WordPress Admin Access With SSL\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage\"},\"author\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"headline\":\"Securing WordPress Admin Access With SSL\",\"datePublished\":\"2005-05-17T23:11:24+00:00\",\"dateModified\":\"2016-10-29T01:51:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage\"},\"wordCount\":549,\"publisher\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"articleSection\":[\"Config\",\"Debian\",\"Linux\",\"Security\",\"WordPress\"],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\",\"name\":\"J\u00fcrgen Kreileder\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/blackdown.de\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g\",\"caption\":\"J\u00fcrgen Kreileder\"},\"logo\":{\"@id\":\"https:\/\/blackdown.de\/#personlogo\"},\"sameAs\":[\"https:\/\/blackdown.de\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"January 22nd, 2006: There's an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/","og_locale":"en_US","og_type":"article","og_title":"Securing WordPress Admin Access With SSL \u2014 J\u00fcrgen Kreileder","og_description":"January 22nd, 2006: There's an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the","og_url":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/","og_site_name":"J\u00fcrgen Kreileder","article_published_time":"2005-05-17T23:11:24+00:00","article_modified_time":"2016-10-29T01:51:02+00:00","twitter_misc":{"Written by":"J\u00fcrgen Kreileder","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/blackdown.de\/#website","url":"https:\/\/blackdown.de\/","name":"J\u00fcrgen Kreileder","description":"Software Engineer and Consultant","publisher":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blackdown.de\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage","url":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/","name":"Securing WordPress Admin Access With SSL \u2014 J\u00fcrgen Kreileder","isPartOf":{"@id":"https:\/\/blackdown.de\/#website"},"datePublished":"2005-05-17T23:11:24+00:00","dateModified":"2016-10-29T01:51:02+00:00","description":"January 22nd, 2006: There's an updated version of this guide for WordPress 2 now: Securing WordPress 2 Admin Access With SSL As one can guess from the","breadcrumb":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Securing WordPress Admin Access With SSL"}]},{"@type":"Article","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#article","isPartOf":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage"},"author":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"headline":"Securing WordPress Admin Access With SSL","datePublished":"2005-05-17T23:11:24+00:00","dateModified":"2016-10-29T01:51:02+00:00","mainEntityOfPage":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-admin-access-with-ssl\/#webpage"},"wordCount":549,"publisher":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"articleSection":["Config","Debian","Linux","Security","WordPress"],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0","name":"J\u00fcrgen Kreileder","image":{"@type":"ImageObject","@id":"https:\/\/blackdown.de\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g","caption":"J\u00fcrgen Kreileder"},"logo":{"@id":"https:\/\/blackdown.de\/#personlogo"},"sameAs":["https:\/\/blackdown.de\/"]}]}},"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pmfBQ-s","_links":{"self":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/28"}],"collection":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":1,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":774,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/28\/revisions\/774"}],"wp:attachment":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/categories?post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/tags?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}