Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
hi. Thanks for plugin
perfect.
Regards
bcg,
https://www.mydomain.com/~myusername/blog/wp-admin/ is a valid shared URL.
Similarly, when I changed mydomain.com to myotherdomain.com that host in the same shared-hosting server, it was also a valid shared URL and it worked.
However, the “~myusername/blog/” part is duplicated if mydomain.com is the TLD that host the wp.
Steve
@Steve:
Perhaps you could enable debug mode and send me a log file from when you load a page with the double links?
Cheers
BCG
Ben,
You mention that in order to make the plugin work with WP 2.6 you had to disable the new WordPress authentication cookies and use the ones from 2.5
Could you just give a hint how to do that?
Thanks!
@Christoph
Admin SSL does this automatically for you. Sorry for not making that clear!
BCG
Thanks for the clarification on the authentication cookies.
Sadly, I seem to be one more person suffering from redirection issues. Neither the normal version nor development seem to work for me. Any idea?
@Christoph
The thing to do is enable debug mode and view your site with Admin SSL enabled so it redirects, and then email me the debug file. The instructions are in the FAQ.
Ben
Hi, I followed your instructions for WPMU and I am getting a failure. Error message below.
It seems as though WPMU is choking because admin-ssl.php was copied outside of the admin-ssl folder and put right into mu-plugins.
Any advice?
Warning: require_once(includes/debug.php) [function.require-once]: failed to open stream: No such file or directory in /www/hosts/sitedir/docs/wp-content/mu-plugins/admin-ssl.php on line 56
Fatal error: require_once() [function.require]: Failed opening required ‘includes/debug.php’ (include_path=’.:/php/includes:/opt’) in /www/hosts/sitedir/docs/wp-content/mu-plugins/admin-ssl.php on line 56
fyi, it is faling on wpmu 2.6.1 .
@Klark:
This will be fixed in 1.3.1, which is about to be released.
If you need it urgently, please download the development version, which is 1.3.1-b2.
Cheers
BCG
I don’t understand the installation instructions. It says to ‘upload Admin SSL files to: /wp-content/mu-plugins/admin-ssl/’
1) Do I create that directory manually and copy everything from the .zip file into that directory? The .zip file is named ‘admin-ssl-secure-admin’ so I’m guessing you don’t copy the unzipped archive into the mu-plugins directory?
2) I then move the ‘admin-ssl.php’ file from mu-plugins/admin-ssl to mu-plugins or do I leave a copy in the admin-ssl directory?
3) When I put admin-ssl.php into the mu-plugins directory it fails because it cannot find the /include directory (because it’s one directory below). If I copy the entire contents of the archive directly into the mu-plugins directory it fails to load a page because it says it cannot find the WP Config file.
Any ideas?
sfguy808:
This is the discussion I just had with Klark – please download the development version (1.3.1-b2) from the link above.
1) unzip .zip file and copy ALL contents to /admin-ssl/ directory.
2) move or copy admin-ssl.php, it doesn’t matter.
BCG
Thanks – your fixes worked great! Thanks for supporting the code so efficiently!
So, this worked up until a couple of months ago, but now you’ve broken it – activating the plugin on WordPress 2.5.1 clean install … nothing happens, plugin doesnt work, and there is no management page for this plugin. Disappointing
.
I guess those changes you made to try and fix it for 2.6 have broken it for 2.5.
I am now going to try and use archive.org cache to find an old version – one which works
.
Is there a way to get on some mailing list for updates?
@adam:
I have a test setup for 2.2, 2.3 and 2.5, which are all clean installations, with no options set, no plugins installed except Admin SSL, and all three are working fine with 1.3.1.
Are you on Shared SSL? The link to the Admin SSL options page is to the right of the ‘Plugin Editor’ link by default. It won’t do anything until you set the options there. If that link isn’t appearing, I’ll need to do some more investigating. Please email me with more info.
@sfguy808:
Do you mean notification when new versions are available? Because WP 2.6 should tell you that. If you mean new comments, there should be a comments feed (link at the top of all the comments). At present I don’t send out mailings to anyone – but if you don’t want to subscribe to a comments RSS feed, you can subscribe to an email list when a new comment is posted – use the link underneath the ‘Leave a Reply’ box.
Cheers
BCG
LOL my other plugins all place their management pages under the “manage” section rather than the “plugins” section, which is why I couldn’t find the management page
. Doh. Sorry.
However, every time I try to enable it, I get this annoying error message and nothing happens:
“Are you sure you want to do this?
Please try again.”
Um, yes, of course I’m sure. What do I have to do to prove it to you?
Hi Adam
This is a WordPress error, when the ‘wpnonce’ values do not match. Are you trying to access your pages over SSL *before* activating Admin SSL, i.e. when you are on the Admin SSL options page to enable it, does the URL begin https://?
I have seen that error in that situation. Otherwise, try clearing your browser cache etc etc.
BCG
re: accessing over SSL – yes, I was.
But, trying again, accessing not over SSL, I get exactly the same error.
Ben,
After configuring your plugin incorrectly I had to do a reset. First I just deleted the plugin from /wp-plugins/ but found that I whenever I put it back and reactivated it, I was locked out of the blog. Then I followed your second reset suggestion: going to http://BLOG/wp-content/plugins/admin-ssl/admin-ssl-reset.php. After doing this, I was able to reactivate the plugin without being locked out, but now for some reason I can’t seem to find the link to Admin SSL config page. Is it supposed to be at /wp-admin/options-general.php? Not seeing it there nor at /wp-admin/plugins.php. Would config page no longer be displaying because of something I did in my reset proceedure?
Thanks.
@aalynx
The config page should not be affected by the Reset – by default it appears on plugins.php (next to Plugin Editor, and Akismet if you have it enabled).
If it is not there, then there must be another problem!
BCG
Ben,
Thanks for the reply.
No. It’s definitely not there. I was certainly able to get to the config page before I screwed things up by choosing the private rather than the shared option. I will keep trying to figure it out.
@aaylnx
Try using debug mode – if you can’t figure out if the log file is helping, you could always email it to me.
You could always try reset method #4..? Delete Admin SSL, all the options from the DB, and reload using a fresh download from wordpress.org?
BCG
Ben,
I have it working now. The link to the config page was definitely missing. On a whim, I thought I’d try reset method #3. After doing this, the link to the config page reappeared. Now the plugin works perfectly! Thanks so very much for your work. Now the login to our church wordpress site, http://providencepres.com , is secure
If anyone else has this problem, try resetting method number 3.
Hi Ben,
I installed AdminSSL and followed the instructions as instructed but I get an error once I log out I enter the URL as
https://www.d-w-harvey.com/wp-admin/
but still no result.
@David:
What is the error that you are receiving? Can you enable debug mode (instructions on FAQ page) and email me the log file? This will help me to troubleshoot your problem.
BCG
HI Ben,
I have the problem resolved now. it was due to my domain not having an SSL certificate, and I didn’t know the path to the shared SSL for my host.
I don’t understand the point of Admin SSL :
Admin SSL VS SSL is ?
Is it essentially a reconfigured mod_rewrite or something?
Why if I apply a dedicated ssl cert or a shared ssl cert to myblog.com (where WP is) ….why wouldn’t it work without this plugin?
WP: wordpress 2.6.2
Type: Shared SSL
Host: 1 and 1
@Bob
Why don’t you try, and you’ll find out! If you want to access every single wp-admin page using SSL, then WordPress 2.6 will do this for you. If you only want to secure the login page, WordPress 2.6 will do this for you. But only if you have Private SSL.
However, if you want to secure individual pages but view the rest over a standard HTTP connection (much faster) you will find that with a Shared SSL setup you cannot do this, because the WordPress cookies will only work on the domain you used to sign in.
Apart from anything, this plugin does what many other plugins do: they provide functionality that is easy to use, rather than having to learn how to use mod_rewrite, or PHP. You can certainly achieve much the same with .htaccess files, but I think you’ll find Admin SSL is much easier to use!
Hope that answers your question.
BCG
Thanks for the feedback, I do have a shared SSL option but I haven’t turned it on yet at 1and1.
I’m trying to sort out with their support if using the shared SSL they offer will force me to use an arcane web address like performa.ssl.2289.myblog.com rather than myblog.com- as it is now.
i wonder if anyone uses shared ssl without having the arcane web address.
Hi, having tried to find a solution to allow a secure connection via a shared SSL to my site, I’ve now trying out this plugin.
So far its good – but I seem to have a problem.
I can secure ?page_id=127 but not when permalinks are set. ie /shipping-rates/ (using it for my tests) doesn’t appear to work.
What is the correct format for adding additional urls when permalinks are set? I don’t mind if it isn’t possible, as I can just add a link to view the secure version of a page. But it would be nicer if it was possible.
@Bob
Unfortunately that is how Shared SSL works – you share a central server which has a valid SSL certificate. That is why many hosting companies can offer it for free.
@Rich
Do you use Shared or Private SSL? I have Private SSL on my site, and it works fine, simply entering the portion of the URL after my blog URL.
So, to secure all my 2007 posts, I simply add 2007/ to the Additional URLs box on the Admin SSL config page.
BCG
I was using a shared SSL – so will have to test again.
Though I was looking at adapting your plugin for another use – which I no longer need to do – so it might be a while before I test it out again.
nice plug-in. Useful. Thanks for share.
Yay! – just upgraded to version 1.3.2 (from 1.3.1) and it’s now finally working!
There was one bug, in that if you have the checkbox for only secure URLs when user logged-in checked, then it won’t let you modify the list of custom URLs (you hit save changes, it reloads page, and all your changes have been reverted), but unchecking that alllowed me to edit the list again.
Thanks
Hi,
I’m trying to decide if this plugin is the solution I’m looking for. On my WordPress site I have 2 pages, which each contain a single form (sensitive patient healthcare and history information). These forms need to be secured via SSL (I have access to private or shared), but I’m not sure how to do that in WordPress. At first I thought this plug-in would be the solution, but after reading more it seem it just secures the admin pages or possible other PHP files–e.g. not individual WordPress pages. Is it possible, using this plugin or something else entirely, to secure individual WordPress pages using a SSL certificate or do I need to be looking in another direction? Any help from anyone would be greatly appreciated.
@Mike
Absolutely – if you have Private SSL you can secure individual URLs – that is why the box is called ‘Additional URLs’ rather than ‘Additional Pages’.
So, if you wanted to secure site.com/blog/some-secure-page/ you would add ‘some-secure-page/’ to the Additional URLs box.
BCG
Great plugin, thanks. I have one request though (and it may already be possible): Can this be toggled on and off via a constant in wp-config?
I do all my development locally before deploying to production servers and frequently take copies of the production databases for local use. When I do this, my Admin SSL settings are obviously enabled on my dev environment where I don’t have SSL set up, as it isn’t needed.
I’m envisioning something like a boolean WP_ADMIN_SSL definition. This will allow users to wrap it in conditionals and only have it enabled on certain environments (by checking the value of $_SERVER['HTTP_HOST'], for example), and not use it when it isn’t desirable.
(I realize, of course, that I can simply set up SSL locally as well, but I think a wp-config option would a much more practical solution.)
Thanks. Feel free to e-mail me if you have any questions or need clarification about this use case.
@Kenn:
This could work – but only for Private SSL. I’ll see what I can do for the next release – I need to check compatibility with WP 2.7 as well.
BCG
Great, thank you!