Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
Thanks so much. This is a huge help!
Ben,
Much thanks! I was going to poke at it, but my PHP is not up to the task.
Except for three small changes for me, it looks good. If I run into any issues I’ll post a comment here.
Thanks,
Jan Dembowski
Thanks for taking the time to update the plugin! It would be great if this plugin would play nicely with the ldap auth plugin located @ http://sourceforge.net/forum/forum.php?forum_id=756461 (or the ldap plugin playing nicely with admin ssl plugin). I guess this plugin isn’t really designed for WPMU, but it works good without the ldap plugin installed. I need both. i’ll keep researching but i might have to dive into the code when I have some time.
Thanks again
Thank you so much Ben, I was in the process of doing this myself, and had just realized that I didn’t have the time nor the skills.
Rossi
deejam:
If you get the chance or find a way to do this, let me know. It looks like it should be possible – but I don’t have an LDAP server to test it with I’m afraid!
Well I’ve managed to secure the dashboard by using the clean_url filter – but at the cost of a JavaScript error.
The problem is that the WordPress Stats plugin calls scripts and stylesheets from http://wordpress.com, and you can’t just switch to https! It’s up to the plugin provider to provide a secure url to their external files, I think.
So unless anyone has anything clever they can suggest, I’m not sure this one can be solved, short of disabling the stats plugin.
Hello,
I don’t find any one with the same problem i have so I hope i’ll find here some help, when I activate the plugin and try to access wp-admin, i get an error with firefox ( bad redirect ), if someone have any idea to fix this, it’ll be very helpful.
Thanks in advance.
Cheers,
DW
DispoWeb:
Are you using an old version of admin-ssl? This was the problem before I updated it to work with WP 2.5.
Or, if you are not using WP 2.5 please use the older version of admin-ssl, version 0.64.
In fact, I’ll update this site so that is made more clear.
BCG
Hello,
I’m using the new version of admin-ssl ( 0.67 ) and wordpress 2.5, it’s really very strange as problem, I don’t find anyone who has the same problem.
Cheers,
DW
DispoWeb:
Did you downloade it from the link, or the SVN repository? Sorry, I didn’t make clear before that the repository is my test version, as I try to fix the Dashboard problem, and so may not work.
Are you using shared or private SSL?
BCG
EDIT: try using the latest version from the repository – as I was testing it I had a redirection problem, when entering a non-https admin url having already logged in.
Hello,
Thanks for your reply, I donwloaded the plugin from your blog and i’m using a private SSL.
).
I can access to my website using https://www.mywebsite.com and https://www.mywebsite.com/wp-admin/ without the plugin but i get the redirection error when i activate it.
Can you drop me an email, I’ll send you the correct URL to see the error ( my english is not very well so it’s better to see the error yourself
Cheers,
DW
After updating from 2.3 to 2.5 and activating admin_ssl.php v0.67, I get redirect errors. It looks like it gets in a loop of redirecting from one fage to another. Removing the admin_ssl.php restores. Just in case I tried redownloading admin_ssl.php v0.67 again and uploading to plugins directory and I ran into same problem after activating. Clicking on a link in the admin area after activation seems to add extra /php/ directory in the target. My blog file is in http://www.mysite.org/php/my_blog/
Dear all
If you are experiencing problems with admin-ssl, please try downloading 0.70-b6. It is my latest development version, that I am using on my own blog, and seems to be working fine so far. I have made a lot of changes to the code, which is why I haven’t released it as a ‘stable’ version.
If you are using Shared SSL you MUST use this version of the plugin as it contains the fix to make admin-ssl work with Shared SSL under WordPress 2.5.
BCG
Hi,
Thanks for updating the plugin. I seem to have a problem though. When I’m editting a post and want to insert a link using WYSYWYG I only get an empty popup.
Any ideas?
Regards,
Joost
Joost:
As I said in the post, there is a problem with TinyMCE itself – you need to edit tiny_mce_config.php in order for it to work under SSL. Please go here:
http://trac.wordpress.org/attachment/ticket/6544/6544.2.diff
to see the patch that you need to apply in order for TinyMCE to work. I’ve applied it myself and there isn’t any problem.
BCG
Hi Ben
Thanks for this, you’ve saved me some work
Question though – do you have any inkling as to what it does to breaks the K2 AJAX comments? Ive suffered that problem since before 2.5, but assumed it was down to my customized theme.
Chances are fixing it probably won’t be too difficult – the problem I have is finding the time to debug…
Mou:
As you probably noticed when you left the comment, I managed to fix the problem!
I tracked it down to comments-ajax.php, lines 30 and 34. They clash with the output buffering used by admin-ssl. If you comment them out, then live commenting will work.
I haven’t had any problems yet, but I don’t like commenting out pieces of code – I’ve asked the K2 guys why there is output buffering there (I can’t see it myself), but no response.
BCG
Thanks so much for this! I hope you keep on updating it and really appreciate it!
BCG,
Thanks for stepping in! admin-ssl 0.64 is blocking comments on , so I was pleased to see you’re actively working on it.
FYI: When I create a new account on my test blog, it sends me to , instead of the correct (configured in the Shared SSL field, and working for admin access).
Have you considered changing the new account email link from http to https? I of course understand if you don’t want to touch this.
Thanks again!
Chris Pepper
Chris:
This is now fixed in 0.71.
BCG
I bcg, thanks first of all for this wordpress 2.5 plugin. I saw before that there is a fix for standard tinymce who comes with wp 2.5. I use http://wordpress.org/extend/plugins/tinymce-advanced/ (3.0 compatible with wp 2.5).
I would like to know if there is a fix also for this one. When i activate admin-ssl and i go to write page, icons of tinymce-advanced are broken even if maybe editor works correctly (i didn’t tested this..)
Thanks in advance
A neat idea, since I have a dedicated SSL on my site. However, when you engage SSL, it affects the WordPress 2.5′s visual editor negatively. The insert link window, for example, is blank, and spell check no longer functions.
Can you fix?
Disabling SSL restores this to normal operation.
Peace,
Gene Steinberg
Hi Gene:
Check out the ‘Known Issues’ section at the top of this post, which explains the problem and gives the solution.
Cheers
BCG
Hi,
Fantastic that you picked up this plugin and got it working! If I may request something – I have been trying to use WP-OPENID, however it does not play nice (unfortunately can’t be more descriptive than that) with admin-ssl.
Would be quite handy if it could be made to work!
Thanks again
I am just working out the changes to use this with the upcoming WPMU 1.5 release and just having some issues since the admin-ssl.php file has cannot be in a subdirectory and every other file can still be in the folder. Any clues? Much appreciated for reworking this plugin! That is great!
Trent
Drumbo:
I’ll take a look when I get the chance – been working on a couple of redirection bugfixes!
Trent:
Can you email me (details here: http://www.kerrins.co.uk/contact/) please with more explanation – where exactly do you want admin-ssl.php? At the moment it expects to be in a subfolder of /plugins/.
BCG
Ben,
Version 0.72 is working really well for me. The only things I change for my site is putting in a if(is_user_logged_in() check.
If the user is not logged in, then I remove the $comment_url and $secure_comment_url from. If they are logged in, leave it in place.
Also for Subscribe to Comments plugin, I put in a check if the QUERY_STRING matches wp-subscription-manager.
The reason I do this is because I am using a self-signed SSL cert. It’s no problem for registered users (the admin) but other people posting might be put off from seeing the SSL cert warning in their browser.
You can see the diff here http://wp.dembowski.net/wp-content/admin-ssl-0.72.diff.
Thanks,
Jan Dembowski
Hey Ben, me again
Suddenly, the plugin’s stopped working for me! I moved to a new web server (Media Temple) which also has a shared SSL certifcate (although accessible via https://mou.me.uk), but for some reason now its giving me the infinite redirection of death!
Or, as Firefox puts it:
“The page isn’t redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”
I’m running 0.72 version of the plugin on WP 2.5.
Any ideas?
Mou:
Redirect errors are difficult to diagnose without more info. Perhaps you could email me with more info, like the URL in the address bar when it happens, if it’s pre or post login, stuff like that. Also, you could try downloading the development version above, which might fix it.
BCG
The issue springs up when I first activate the plugin – ie, as soon as I click “activate”, so to fix things I’m having to rename to Admin-SSL folder. The URL in the address bar is:
https://mou.me.uk/cms/wp-admin/plugins.php?activate=true
But it affects the entire admin area. Anywhere where it should be https as far as I can see.
Firebug is showing the page returning a 302 header… then the page reloads and returns another 302.. and it continues until Firefox either gives up or I try and look at the response tab in Firebug, at which point the browser (and a few other open programs) lock up for a few seconds!
Blog front-end is unaffected.
Tried the latest version on SVN but its giving me the same problem.
Can’t think of anything else offhand. Let me know what other info you need!
Okay, possibly very very stupid question here, but I’m trying to run the 0.72 version of the plugin on wpmu and am having a little bit of difficulty finding the Admin SSL plugin configuration page. It’s possible that this page exists only in wp 2.5 and not in wpmu, for some reason, but if it does exist could someone hit me with a clue? Thanks much.
Mou:
If you have the latest version, please try going to this page:
http://BLOG_HOME/wp-content/plugins/admin-ssl/admin-ssl-reset.php
(Obviously replace BLOG_HOME!)
This will reset the database options and allow you to activate AdminSSL and reenter your Shared SSL settings – the Shared SSL URL should be https://mou.me.uk/cms/wp-admin/.
John:
I’m currently working on making the plugin work with WPMU, I’ll release a version when it’s done, sorry but you’ll have to wait for now!
BCG
Jan:
I’ve added the is_user_logged_in() check but not sure about the subscription manager one.
In the latest development version (0.80-b14), which should be available to download from WordPress.org soon, the subscription manager is not secured – is this the behaviour you were after?
BCG
Ben,
That’s sort of what I’m aiming for.
For the subscription manager if the user is not logged in, then I want the subscription manager to be unsecured. This is because of my self signed SSL cert; I don’t want to turn off or scare the user if they want to modify their subscriptions to comment threads. Those user would not really be admin’ing the blog and their URLs go out via e-mail which is already unsecured.
If the user is logged in (via a check) then I want it to be secured. The idea is that if they are registered and logging in the end user either imported and accepted the self signed cert or they don’t mind the warning. Also logged in users should have their admin secured as just good practice.
Ideally there would be an area in the Admin SSL options screen to put in strings to bypass the SSL admin for non-logged in users ala WP Super Cache’s reject URI entry box, but that would be massively pushing the boundary of feature requests and I’d use up all my “Feature Request Karma in one rip”…
Thanks for all the great work,
Jan Dembowski
Ben,
I’ve just downloaded the development version and that’s great.
The options for secure commenting are exactly what I was looking for, thanks.