WordPress SSL over HTTPS: Securing your blog’s administration pages

Keep prying eyes from stealing your important admin credentials using encryption.

Although I really should be working on my next video, I am doing something totally different —getting my website’s admin area encrypted. Yes, I am easily distracted by little side projects and that’s why I can never get anything done quickly… but THIS is a worthy task.

Why should you secure WordPress using SSL over HTTPS?

What’s the point? Security, of course. Just think: You are blogging in a coffee shop using their open wifi —or even password-authenticated wifi— it doesn’t matter. As long as there is traffic going over the network, your website’s administrative data packets are being transmitted in the clear, including your admin username and password. You wouldn’t want your bank information visible to all in the ether so why would you trust your website management bouncing around unencrypted? Logging into WordPress and doing your business can be a fairly secure process after a few steps.

Getting it done— Difficulty level: Fairly easy

I’m approaching this with the assumption that you have access to change your web host’s Apache SSL configuration and WordPress plugins. Without this access, you may have other challenges.

Quick and dirty SSL certificates

Sure you can purchase an SSL certificate from an authority and install them at your hosting level but that would be way beyond the scope of this little project. For now, I’m doing this the easy way so you can get up and running with encryption. If you already have a valid SSL certificate with a matching Server Name then skip this step. Otherwise you’d better follow along or risk getting errors. On your Apache server:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/server.crt

The path and key/certificate filenames may differ depending on your server. The one quoted is for a Bitnami appliance on Amazon’s Elastic Cloud Computing infrastructure so using the exact syntax on a generic Ubuntu server may be totally different. This self-signed certificate should suffice for this project but be sure to note the certificate specifics before allowing your client browsers to accept the connection permanently. Fill out the certificate information, carefully following the prompts.

Adjust the Apache SSL configuration

The .conf file for SSL connections is usually separate from the main Apache .conf, and may be found in a subdirectory called extras. On a Bitnami WordPress appliance for AWS it might be called /opt/bitnami/apache2/conf/extras/httpd-ssl.conf. The enabled directives are few —and for good reason. However, for WordPress to resolve URLs properly while under SSL, some additions need to be made. Please audit your security after these modifications are performed.

Define the proper DocumentRoot and VirtualHost directives for your WordPress install. The directives mirror those that are defined by WordPress and allow the Rewrite module to behave properly in the Administration area if permalinks are enabled.

<directory "/opt/bitnami/apps/wordpress/htdocs">
    Options +MultiViews +FollowSymLinks
    AllowOverride None
    <ifversion < 2.3>
    Order allow,deny
    Allow from all
    </ifversion>
    <ifversion >= 2.3>
    Require all granted
    </ifversion>
    RewriteEngine On
    #RewriteBase /wordpress/
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]
</directory>

You’ll need to restart Apache or reload the configuration for changes to take effect.

Prepare WordPress for SSL

To keep things simple, use the WordPress HTTPS (SSL) plugin by Mike Ems. Though you might be able to enable SSL logins in wp-config.php yourself, any canonical redirects you have in .htaccess may cause the HTTP redirect to fail. So stick with the plugin and save yourself some trouble! After activating the plugin and checking the box for “Force SSL Administration,” administrative pages in WordPress (including login) will be encrypted. You may want to bookmark the HTTPS admin URL for your website to avoid needless redirects. Voila, that’s all there is to it —enjoy!

Advertisements
  • Will remember to do this when they’re done fixing my PC. Tho I’m not that tech-y as you are, thanks for the tip! :)