{"id":43,"date":"2006-01-22T21:34:42","date_gmt":"2006-01-22T20:34:42","guid":{"rendered":"http:\/\/blog.blackdown.de\/2006\/01\/22\/securing-wordpress-2-admin-access-with-ssl\/"},"modified":"2016-10-29T03:51:01","modified_gmt":"2016-10-29T01:51:01","slug":"securing-wordpress-2-admin-access-with-ssl","status":"publish","type":"post","link":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/","title":{"rendered":"Securing WordPress 2 Admin Access With SSL"},"content":{"rendered":"<p>A few people have asked for an updated version of my <a href=\"\/2005\/05\/18\/securing-wordpress-admin-access-with-ssl\/\">Securing WordPress Admin Access With SSL<\/a> guide. So here is an updated version for <a href=\"http:\/\/wordpress.org\/\" rel=\"tag\">WordPress<\/a> 2!<\/p>\n<p>The situation has not changed much since WordPress 1.5: WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP and I still do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:<\/p>\n<h3>The Goal<\/h3>\n<p>All communication involving passwords or authentication cookies should be done over HTTPS connections. <code>wp-login.php<\/code> and the <code>wp-admin<\/code> directory should only be accessible over HTTPS.<br \/>\nNormal reading access, as well as comments, tracebacks, and pingbacks still should go over ordinary HTTP.<\/p>\n<h3>The Plan<\/h3>\n<ul>\n<li>Add an HTTPS virtual host that forwards requests to the HTTP virtual host<\/li>\n<li>Modify WordPress to send <em>secure<\/em> authentication cookies, so cookies never get sent over insecure connections accidentally<\/li>\n<li>Require a valid certificate on HTTPS clients. That means to log in to WordPress you need both a valid certificate and a valid password.  If someone manages to get your password, he still can not login because he does not have a valid certificate.<\/li>\n<\/ul>\n<h3>The Implementation<\/h3>\n<p>Note: This documentation assumes a <a href=\"http:\/\/www.debian.org\/\">Debian<\/a> sarge installation with <a href=\"http:\/\/httpd.apache.org\/\" rel=\"tag\">Apache<\/a> 2. Some things, in particular Apache module related ones, will be different on other systems.<br \/>\nThe server used throughout the instructions is example.org\/192.0.34.166. The server&#8217;s <code>DocumentRoot<\/code> is \/blog and WordPress resides in \/blog\/wp. The value of WordPress&#8217; <code>home<\/code> option is &#8216;http:\/\/example.org&#8217; and the value of its <code>site_url<\/code> option is &#8216;http:\/\/example.org\/wp&#8217;.<\/p>\n<ul>\n<li>Prepare the SSL certificates:\n<ul>\n<li>Generate your own certificate authority (CA) if you don&#8217;t have one already (I&#8217;m using the makefile from <a href=\"http:\/\/sial.org\/howto\/openssl\/ca\/\">OpenSSL Certificate Authority Setup<\/a> for managing mine) and import it into your browser.<\/li>\n<li>Generate a certificate for the SSL server and certify it with your private CA.<\/li>\n<li>Generate a certificate for your browser and certify it with your private CA. Most browsers expect a <abbr title=\"Public-Key Cryptography Standard\">PKCS<\/abbr>#12 file, so generate one with\n<pre>$ openssl pkcs12 -export -clcerts &#92;\r\n    -in blogclient.cert &#92;\r\n    -inkey blogclient.key &#92;\r\n    -out blogclient.p12<\/pre>\n<p>Then import <code>blogclient.p12<\/code> into your browser.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>Make WordPress SSL-ready:<br \/>\nApply this <a href=\"\/static\/wp\/wp2-ssl.patch\">patch<\/a> to the WordPress code. It makes the following changes:<\/p>\n<ul>\n<li>Use <em>secure<\/em> authentication cookies in <code>wp_setcookie()<\/code><\/li>\n<li>Make <code>check_admin_referer()<\/code> work with HTTPS URLs<\/li>\n<li>Use HTTPS URLs for notification mails<\/li>\n<li>Use HTTPS URLS for redirects to <code>wp-login.php<\/code><\/li>\n<li>Only allow XML-RPC logins from the local host (ie. the HTTPS proxy)<\/li>\n<li>Add the <em>Mark-as-Spam<\/em> feature from trunk<\/li>\n<\/ul>\n<p>The patch is against <a href=\"http:\/\/subversion.tigris.org\/\">svn<\/a> version 3825 of WordPress (ie. WordPress 2.0.3), when you apply it to a newer version, you will likely get some harmless \u2018<code>Hunk succeeded<\/code>\u2019 message. If you are getting \u2018<code>Hunk FAILED<\/code>\u2019 message, just send me note and I&#8217;ll update the patch.<\/p>\n<\/li>\n<li>Enable the necessary Apache modules:\n<ul>\n<li>Install <a href=\"http:\/\/apache.webthing.com\/mod_proxy_html\/\">mod_proxy_html<\/a>.  It will be used to replace absolute &#8216;http:\/\/example.org&#8217; HTTP URLs in the WordPress output with &#8216;https:\/\/example.org&#8217; HTTPS URLs:\n<pre>$ aptitude install libapache2-mod-proxy-html<\/pre>\n<p>The module gets enabled automatically after installation.<\/p>\n<\/li>\n<li>Enable mod_proxy and mod_ssl\n<pre>$ a2enmod proxy\r\n$ a2enmod ssl<\/pre>\n<p>Debian provides sane default configurations for both modules. You might want to take a look at the configuration files (<code>ssl.conf<\/code> and <code>proxy.conf<\/code>) nevertheless.<br \/>\nI have changed <code>SSLCipherSuite<\/code> to<\/p>\n<pre style=\"overflow:scroll;width:93%;\">TLSv1:SSLv3:!SSLv2:!aNULL:!eNULL:!NULL:!EXP:!DES:!MEDIUM:!LOW:@STRENGTH<\/pre>\n<p>in <code>ssl.conf<\/code> in order to just allow TLS v1 and SSL v3 ciphers which provide strong encryption and authentication (see <a href=\"http:\/\/www.openssl.org\/docs\/apps\/ciphers.html\">ciphers(1)<\/a>).<\/p>\n<\/li>\n<li>If you are compressing WordPress output (that is if you enabled the <em>&#8216;WordPress should compress articles (gzip) if browsers ask for them&#8217;<\/em> option) then also enable mod_headers:\n<pre>$ a2enmod headers<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Configure Apache to listen on the HTTPS port\n<pre>$ cat &gt; \/etc\/apache2\/conf.d\/ssl.conf &lt;&lt; EOF\r\n&lt;IfModule mod_ssl.c&gt;\r\n\tListen 443\r\n&lt;\/IfModule&gt;\r\nEOF<\/pre>\n<\/li>\n<li>Modify the blog virtual host to limit access to <code>wp-login.php<\/code> and <code>wp-admin<\/code> to the local host. Also completely deny access to files which should never be accessed directly. Here is an example: <a href=\"\/static\/wp\/10-wp2-example.org\"><code>10-wp2-example.org<\/code><\/a><\/li>\n<li>Now setup the HTTPS virtual server: <a href=\"\/static\/wp\/20-wp2-example.org-ssl\"><code>20-wp2-example.org-ssl<\/code><\/a><br \/>\nIf you are compressing WordPress output you have to enable the <code>RequestHeader<\/code> line.\n<\/li>\n<li>Enable the site and restart Apache\n<pre>$ a2ensite 20-blog-ssl\r\n$ \/etc\/init.d\/apache2 restart<\/pre>\n<\/li>\n<li>Remove the old WP cookies from your browser<\/li>\n<li>Test the new setup!<\/li>\n<\/ul>\n<p><em><strong>February 1st, 2006:<\/strong> <a href=\"\/static\/wp\/wp2-ssl.patch\">wp2-ssl.patch<\/a> updated for WordPress <a href=\"http:\/\/wordpress.org\/development\/2006\/01\/201-release\/\">2.0.1<\/a><\/em><\/p>\n<p><em><strong>March 11st, 2006:<\/strong> WordPress <a href=\"http:\/\/wordpress.org\/development\/2006\/03\/security-202\/\">2.0.2<\/a> has been released, fixing some security issues. The HTTPS patch still applies fine to that version.<\/em><\/p>\n<p><em><strong>March 19th, 2006:<\/strong> Updated <a href=\"\/static\/wp\/wp2-ssl.patch\">wp2-ssl.patch<\/a>. Changes: Fix bug in list-manipulation.php, use HTTPS for &#8216;Login&#8217; and &#8216;Register&#8217; links, backport &#8216;Mark-as-Spam&#8217; feature from trunk<\/em><\/p>\n<p><em><strong>May 1st, 2006:<\/strong> WordPress <a href=\"http:\/\/wordpress.org\/development\/2006\/06\/wordpress-203\/\">2.0.3<\/a> has been released. Here is the updated <a href=\"\/static\/wp\/wp2-ssl.patch\">wp2-ssl.patch<\/a>.<\/em><\/p>\n<p><em><strong>July 29th, 2006:<\/strong> WordPress <a href=\"http:\/\/wordpress.org\/development\/2006\/07\/wordpress-204\/\">2.0.4<\/a> has been released, fixing some security issues. Here is an updated version of the <a href=\"\/static\/wp\/wp2-ssl.patch\">wp2-ssl.patch<\/a>.<\/em><\/p>\n<p><em><strong>January 12st, 2007:<\/strong> <a href=\"\/static\/wp\/wp2-ssl.patch\">wp2-ssl.patch<\/a> updated for 2.0.6 and 2.0.7-RC1<\/em><\/p>\n<p><em><strong>January 15st, 2007:<\/strong> WordPress <a href=\"http:\/\/wordpress.org\/development\/2007\/01\/wordpress-207\/\">2.0.7<\/a> has been released. The patch still applies fine to that version.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The situation has not changed much since WordPress 1.5: WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is<br \/>[&rarr; <a href=\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/\" class=\"more-link\">Read the rest of this entry<\/a>]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[6,3,2,8,20],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v18.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing WordPress 2 Admin Access With SSL \u2014 J\u00fcrgen Kreileder\" \/>\n<meta property=\"og:description\" content=\"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/\" \/>\n<meta property=\"og:site_name\" content=\"J\u00fcrgen Kreileder\" \/>\n<meta property=\"article:published_time\" content=\"2006-01-22T20:34:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-10-29T01:51:01+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"J\u00fcrgen Kreileder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blackdown.de\/#website\",\"url\":\"https:\/\/blackdown.de\/\",\"name\":\"J\u00fcrgen Kreileder\",\"description\":\"Software Engineer and Consultant\",\"publisher\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blackdown.de\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage\",\"url\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/\",\"name\":\"Securing WordPress 2 Admin Access With SSL \u2014 J\u00fcrgen Kreileder\",\"isPartOf\":{\"@id\":\"https:\/\/blackdown.de\/#website\"},\"datePublished\":\"2006-01-22T20:34:42+00:00\",\"dateModified\":\"2016-10-29T01:51:01+00:00\",\"description\":\"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The\",\"breadcrumb\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Securing WordPress 2 Admin Access With SSL\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage\"},\"author\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"headline\":\"Securing WordPress 2 Admin Access With SSL\",\"datePublished\":\"2006-01-22T20:34:42+00:00\",\"dateModified\":\"2016-10-29T01:51:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage\"},\"wordCount\":739,\"publisher\":{\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\"},\"articleSection\":[\"Config\",\"Debian\",\"Linux\",\"Security\",\"WordPress\"],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0\",\"name\":\"J\u00fcrgen Kreileder\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/blackdown.de\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g\",\"caption\":\"J\u00fcrgen Kreileder\"},\"logo\":{\"@id\":\"https:\/\/blackdown.de\/#personlogo\"},\"sameAs\":[\"https:\/\/blackdown.de\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/","og_locale":"en_US","og_type":"article","og_title":"Securing WordPress 2 Admin Access With SSL \u2014 J\u00fcrgen Kreileder","og_description":"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The","og_url":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/","og_site_name":"J\u00fcrgen Kreileder","article_published_time":"2006-01-22T20:34:42+00:00","article_modified_time":"2016-10-29T01:51:01+00:00","twitter_misc":{"Written by":"J\u00fcrgen Kreileder","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/blackdown.de\/#website","url":"https:\/\/blackdown.de\/","name":"J\u00fcrgen Kreileder","description":"Software Engineer and Consultant","publisher":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blackdown.de\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage","url":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/","name":"Securing WordPress 2 Admin Access With SSL \u2014 J\u00fcrgen Kreileder","isPartOf":{"@id":"https:\/\/blackdown.de\/#website"},"datePublished":"2006-01-22T20:34:42+00:00","dateModified":"2016-10-29T01:51:01+00:00","description":"A few people have asked for an updated version of my Securing WordPress Admin Access With SSL guide. So here is an updated version for WordPress 2! The","breadcrumb":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Securing WordPress 2 Admin Access With SSL"}]},{"@type":"Article","@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#article","isPartOf":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage"},"author":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"headline":"Securing WordPress 2 Admin Access With SSL","datePublished":"2006-01-22T20:34:42+00:00","dateModified":"2016-10-29T01:51:01+00:00","mainEntityOfPage":{"@id":"https:\/\/blackdown.de\/articles\/securing-wordpress-2-admin-access-with-ssl\/#webpage"},"wordCount":739,"publisher":{"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0"},"articleSection":["Config","Debian","Linux","Security","WordPress"],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/blackdown.de\/#\/schema\/person\/d169d9b7b1b84446d5bea93795076ec0","name":"J\u00fcrgen Kreileder","image":{"@type":"ImageObject","@id":"https:\/\/blackdown.de\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ceaab9fc1ba3f50f30f855e2b924aca5?s=96&d=identicon&r=g","caption":"J\u00fcrgen Kreileder"},"logo":{"@id":"https:\/\/blackdown.de\/#personlogo"},"sameAs":["https:\/\/blackdown.de\/"]}]}},"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pmfBQ-H","_links":{"self":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/43"}],"collection":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":1,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"predecessor-version":[{"id":759,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/posts\/43\/revisions\/759"}],"wp:attachment":[{"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackdown.de\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}