Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
Sergio (and others):
Thanks for reporting this, I’ll look into it when I can – my wife and I are about to move house (on Monday) so development on the plugin has stalled a little while we prepare for that, and actually move!
BCG
hi, it’s me again
i have another questions.
1. sometimes when i access my wp-admin, the https:// on the url became http://. so i usually reset the admin SSL and re-activated. i use WP 2.5.1
2. i also realize that when the url is https:// the post-slug didn’t work. i couldn’t edit the slug. is it related to a bug from the plugins that aren’t able to distinguish between HTTP and HTTPS, as you mentioned in the earlier comment?
and thanks again for the great plugins!
Soyuz:
I’ve just fixed bug (2), which will be included in the next release, once I have confirmed some other bugfixes. As for the first one, have you worked out how to make it happen, or is it random? If it is not random, could you enable debug mode (see FAQ) and email me the debug log please?
Sergio:
Can you confirm you are still getting this error? I am not having a problem with WPMU 1.5.1 and Admin SSL 1.0.4. Please email me with more info if you are still having trouble.
BCG
Sorry, solved in 1.5.1, I don’t have in virtual directory:
AllowOverride FileInfo Options
Solved and working ok in 1.5.1 and 1.3.1 with LDAP Auth too, now my problem is with LDAP Auth in 1.5.1.
Thanks for all.
hi,
thanks for the reply. and thanks for fixing the bug(2). really appreciate it.
for the first problem, it’s random. but i think that’s my mistake. i didn’t upload admin SSL plugin on the httpsdoc folder, only on httpdoc. after i put the admin SSL to my httpsdoc, the url is always https and never changed to http since then. silly me
. sorry to make you worried.
thanks again and i look forward to the next release.
Hi,
Just to let you know I have downloaded the latest svn version and it isn’t working with 2.6 svn version. It is no longer doing the continual redirect, however it seems to authenticate, and then go back to the login in screen. If I go back to the main page (front page of my blog) I can see that I have been logged in, however if I click on the admin link, it attempts to go to the admin section, but is redirected to the login page! Hope that makes sense
Drumbo:
Thanks for the heads-up – I think I’ll probably wait until a RC of 2.6 before I really look into it – there’s no point ‘fixing’ a bug that disappears in the final release!
Cheers
BCG
Hi,
I find that the redirect after clicking login wont work.
I can see this is due to two letters being added to the redirected URL. This occurs after the ‘type’ suffix, e.g. “.com/wp-admin/” becomes “.comds/wp-admin/”
However, I cant seem to find anything in WP-options that is adding the last two letters of the sub-domain that I have WP in.
I have checked the database and the standard URL is written correctly in all the setting.
Any help would be great.
Thanks.
I am using Admin SSL 1.0 with WordPress 2.5.1 and private SSL. Generally it works great but as soon as I enable Admin-SSL, using the site with SSL is impossible. If someone tries to reach the site via https://my.blog, he is redirected to http://my.blog . Is there any posibility to have both, SSL-secured login and optional SSL at the rest of the blog?
first, wanted to say good work with the plugin i’m sure.. it’s a nice feature to have.
now, that said, i haven’t been able to enable it on my site. i’ve downloaded it (1.05), activated it, and tried to configured it via the setup panel but, when i click “save changes” i’m being prompted to “are you sure you want to do this?” but not given the option to say yes. the only thing i can click on that page is “please try again”.
any help would be appreciated. thanks again for all the efforts..
Tony:
Are you using the latest version (1.0.5)? If so, could you read the FAQ, enable debug mode and send me the log file please, so I can troubleshoot the problem?
Hoshpak:
Unfortunately WordPress forces its URL to be what you enter in the General Settings tab, so SSL will NOT work for blog pages, only for admin pages. If you want your blog to be secured, you can only do this by changing the URL in the WP General Settings – but this will of course secure your entire blog.
Paul:
This error happens when you try to submit to a WordPress page from another unverified domain name. E.g., you are signed in to myblog.com, and try to submit to myblog.com/wp-admin/settings.php from, say, somesite.com/wp-settings.php. Perhaps you also could enable debug mode, and send me the log file to help me troubleshoot?
Cheers
BCG
bcg: Thanks for your reply. I hope this will be fixed in WordPress 2.6.
ssl plugins wordpess – mu problem ?
Bayan:
Not as far as I’m aware. Is there a specific problem you’re having?
@Hoshpak and @bcg:
I think with some hacking around the URL scheme replacements (I’m thinking specifically line 347), if you don’t change the scheme if it is already https ever (so you never go https->http), you can make the site https optional.
Craig:
Thanks for your comments – the reason this won’t work site-side is wp-includes/canonical.php, which forces site-side links to be the URL defined on the main Settings page.
If Admin SSL tries to make a site page secure, then there is a never-ending redirect as WordPress and Admin SSL keep redirecting.
The way to do this would be to do some checking using the ‘redirect_canonical’ filter, to stop WordPress redirecting – but I haven’t had time to do this yet, it’s on the feature list for 1.1.
BCG
Hoshpak and Craig:
I think I’ve cracked it – try downloading the development version above (1.1-rc3) and adding a site-side URL to the Additional URLs box on the config page.
It works for me, on both private and shared SSL. Let me know what you think.
BCG
It works great – Without changing any settings, I’m able to go to the site in https, and it doesn’t kick me back to http! Most excellent
Works great for me as well. Thanks @cfg.
Do the recent changes in 2.6 regarding SSL remove the need for this plugin? http://boren.nu/archives/2008/07/14/ssl-and-cookies-in-wordpress-26/
@Craig:
If you want your entire admin area to be secured, then the new 2.6 feature will do that for you. However, I am still working to update Admin SSL because WP 2.6 does not support shared SSL, and nor does it support the securing of individual URLs.
I have however emailed Ryan to suggest that some of the features/code from Admin SSL are included in 2.7.
BCG
Hi,
can I use IP instead of domain when entering shared ssl directory?
I always close out myself, I dont know which is my main host domain and ssl certificate where my domain is.
sorry for my bad english
@Seany:
You can enter whatever you like, as long as it works when you put it in the address bar of your internet browser
. Domain names are basically IP addresses anyway. Go to http://216.234.124.195/ and you’ll see it is the same as going to http://www.kerrins.co.uk/.
bcg
After struggling with this plugin for a long while I come to realize my host doesn’t have the environment variable SERVER["HTTPS"] set even if the request comes from https. The port is 80, not 443. How can that be? The browser shows the padlock icon if I browse to a test page using shared SSL but the environment variables show:
_SERVER["SCRIPT_URI"] = https://server123.myhost.com:80/~myuser/test.php
_SERVER["SERVER_PORT"] = 80
_SERVER["HTTPS"] =
_SERVER["SSL_PROTOCOL"] =
Any way to key off the SERVER["SCRIPT_URI"] variable instead of
SERVER["HTTPS"]?
@TFB:
If you’re using 1.1, change line 158 from:
return(isset($_SERVER[$https_key]) && $https_value === $_SERVER[$https_key] ? true : false); }
to
return(substr($_SERVER["SCRIPT_URI"],0,5) === “https” ? true : false);
That should sort you out.
bcg
That did it. Thanks a lot for your help. I’m still not sure why my host doesn’t set the SERVER["HTTPS"] variable for shared SSL. They told me that’s the way it is on their servers. For others who run into a redirect loop on shared SSL, check the $_SERVER["HTTPS"] variable! Anyway, thank you for the great plugin!
Dear all
I have updated the development version of Admin SSL to support WP 2.6 (eventually!). If any of you would like to try it out and let me know if it works, or not, I would be very grateful. I’d especially like testing on Shared SSL setups. It works fine for me on my test server, but you never know!
Cheers
BCG
I tested the latest development version with my 2.6 blog an unofrtunately it doesn’t seem to work. I am using the shared ssl provided by hosteurope (available under https://ssl.webpack.de) and when I enter https://ssl.webpack.de/blog.mydomain/wp-admin/ I end up in an infinite redirection loop. I tried using https://ssl.wepack.de/mydomain/blog/wp-admin/ instead and it doesn’t cause a redirection loop but won’t let me enter the login page either. I am just being redirected to the homepage of my blog.
Hi
I installed your development version on a new 2.6 wp version and it works fine with a private SSL.
Redirect http://../wp-admin to https//../wp-admin
Just curious doesn’t 2.6 offer the same feature as your plugin.
I thought it did, but couldn’t get it to work.
However when I installed your plugin it works fine.
Thanks
Sherif
@Hoshpak:
Can you follow the instructions on the FAQ page to enable debug mode and email the log file to me please? That will tell me which bit of the code is causing the redirect loop.
@Sherif:
Other people have emailed me with problems with WP 2.6′s SSL implentation – it is quite rough around the edges.
BCG
Thanks for a great plug-in. I hope this gets rolled into the core WordPress distribution. Especially considering how many people update their blogs on coffee shop wi-fi and other untrusted networks.
I would like to point out that version 1.1 of the plug-in does not work with Apache 1.3 out of the gate. This is probably the issue that @TFB ran into. Basically, Apache 1.3 (which a lot of hosting companies use) doesn’t have the HTTPS variable available. (Look under “specials” in the mod_rewrite 1.3 documentation (http://tinyurl.com/fgsge) and the 2.0 documentation (http://tinyurl.com/kawns) for confirmation.)
Assuming that the hosting provider runs HTTPS over port 443, a fix for this in the Admin-SSL plugin under “Other Settings” -> “HTTPS Detection” is to set:
“The name of the HTTPS $_SERVER variable” = “SERVER_PORT”
(without the quotes),
and:
“The value of the HTTPS $_SERVER variable when HTTPS is ON” to:
“443″ (again, without quotes)
This seems to work on my setup:
WordPress = 2.6
Admin-SSL = 1.1
Apache = 1.3.41
PHP = 5.2.6
(Now in @TFB’s case, this wouldn’t work since his host is running SSL over port 80, which is kinda weird. If it is any port other than 80 though, this should work.)
I installed the development version 1.2-rc1 on wordpress 2.6 in a shared SSL hosting, but found this problem.
When I entered the following url to the Shared SSL URL field, the admin login page didn’t work.
https://www.mydomain.com/~myusername/blog/wp-admin/
If you view source of the admin login page, “~myusername/blog/” appeared twice in the links.
https://www.mydomain.com/~myusername/blog/~myusername/blog/wp-admin/
Now, I changed the http://www.mydomain.com to http://www.hostcompany.com, it worked!
https://www.hostcompany.com/~myusername/blog/wp-admin/
@Steve
If you entered
https://www.mydomain.com/~myusername/blog/wp-admin/
into Admin SSL’s config it is no wonder it didn’t work – you must enter the correct shared URL:
https://www.hostcompany.com/~myusername/blog/wp-admin/
into Admin SSL. Then the links will be correct.
Or am I not understanding your query properly?
BCG