Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
@Eric
Your way may be ‘rather crude’, but I think it might be the simplest way! I’ll look into it, and release a new version. Thanks for bringing it to my attention, I didn’t know anything about xmlrpc.php.
Cheers
bcg
Hi
Just failed to set up Admin SSL on my site running WordPress 2.7.1
I have to run my site on non-standard port (8079) since my provider firewalls incoming connections on port 80.
So my blog URL constains port number – http://yoush.homelinux.org:8079/
My web server is set up to serve SSL connections on port 443, it works outside of wordpress area.
I tried to set up SSL Admin.
First, I selected ‘private ssl’, but that resulted in attempts to access https://yoush.homelinux.org:8079/, which obviously failed.
Then I selected shared ssl and entered URL https://yoush.homelinux.org/wp-admin/
It looked ok. However, then I reloaded my blog’s main page, and it contained admin link still http://, not https://. Logout link was https://, but it did not work: if I clicked on the link, it resulted in an error message with “try again” link pointing to the site’s main page.
Had to disable Admin SSL for now.
Could you please help?
Where do the settings show up in 2.7.1? I can’t seem to find the Admin-SSL config page anywhere. I have it installed and activated. Any help would greatly be appreciated. Thanks for the great plug-in!
@Richard
You can get there either by clicking the ‘Settings’ link in the main Plugins page. Depending on your own setting, it will be under the Plugins menu, or the Settings menu (the default is the Plugins menu).
@Nikita
Can you follow the instructions on the FAQ to enable debug mode and email me the debug log, please?
bcg
Those WP “menus” can be hard to find in 2.7.
After you click on “Plugins” you should see “Admin SSL”.
You can choose to move “Admin SSL” to the “Settings” menu, though. If you do, then click on “Settings” and you will see it.
You can “twist” the little arrows on the right of the section names (“Plugins” or “Settings”) to try to keep them displaying all the time, but this does not always work, in my experience.
@bcg
It does not appear in either of those menus. Does that mean something did not get installed properly?
@Richard
Is it enabled on the plugins page? The plugin must be activated once it is uploaded – once it is activated, the Admin SSL settings link should appear.
@bcg
Yep it is enabled and everything… I have used this plugin with older installations and it worked fine, but for some reason it is just not working in 2.7.1
@Richard
This is very strange, as I am using 2.7.1 myself – are you using the latest version (i.e. 1.4 or above)?
@bcg
yep, i am using the latest version. i have been having an issue with folder permissions, i.e. not being writable, could this be causing a problem?
would you like me to email you instead of clogging up your blog?
it happened to me too. Richard, you have to reset the plugin by typing in the url to the reset php file in the plugin folder.
The problem arises when you choose to show the plugin settings in the Settings menu (if you opt for the Plugins menu everything works as expected).
A few times I also managed to make the plugin page show by reducing wordpress side menu (clicking on the two arrows) and then again clicking NEAR the two arrows just a few millimeters on the right of them. Passing over the mouse you probably should see a glitch indicating the ‘hidden’ menu. Anyway if you reset the plugin everything will be restored.
Cheers
@alde & @Richard
Switching between the Plugins and Settings menu works absolutely fine for me – It would be good track this bug down, if you could email me any further info?
Hi Ben,
I installed the plugin today, and since I did, when I click the log out link I get a message saying:
“You are attempting to log out of channeltom.com | blog
Please try again.”
Is this something you’ve seen or can fix?
Many thanks,
Tom
PS – other than this I love the plugin!
@Tom
No it isn’t – can you do the debug log thing (FAQ page) and email it to me? Make sure you do a log off with the log enabled, so I can get a better idea of what’s happening.
Cheers
bcg
I periodically end up in an infinite redirect loop using shared ssl where I am bounced between /wp-login.php on my secure site and my regular site.
I can get Admin SSL working again by renaming the admin-ssl-secure-admin plugin directory (thereby disabling it), logging into WordPress, renaming the admin-ssl-secure-admin directory back, and reactivating the plugin. After doing that I can logoff and on with no problems for some time (a day or two) before the problem comes back.
Any ideas?
WordPress v2.7.1
Admin SSL v1.4.1
@Mike
It would be really helpful if when this happens you could enable the debug mode and send me a debug log – it is impossible for me to track down these redirect bugs without that log file.
Thanks!
bcg
hi, thanks for the great plugin you wrote, but since wp 2.7.1 visitors cant comment on the blog.
Im gonna keep an eye on this for the next couple of days, but I disabled all plugins and then enable one by one, and everythings ok with out admin-ssl.
So, talk you back in two days to confirm.
@Maski
Thanks – let me know what you discover, if I get some time I’ll look into it myself as well. Obviously people can comment on my blog ok, and I use Admin SSL!
bcg
Yeah I now it sounds ackward, but maybe its one of those bugs that arise when two different plugins interact.
In my case I had no comments in the whole weekend, right now im testing in two different blogs, if I found anything ill post.
Everything seems to be working fine. Only if I go from Dashboard to Users i get the followin message:
Secure Connection Failed
http://www.shimshon9.com uses an invalid security certificate.
The certificate is only valid for *.ipower.com
(Error code: ssl_error_bad_cert_domain)
* This could be a problem with the server’s configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Any ideas why this is happening?
I’m having the same problems as Mike…
Shared SSL setup resulting in a redirect loop error:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
My host tells me this is a problem with the plugin (probably a standard answer of theres).
Any ideas?
Pat
@Pat
What are your cookie settings like? If you could send me a debug log, that would be helpful – I use Admin SSL 1.4+ on both Private and Shared SSL setups, with WP 2.7.1, and don’t have any problems.
@Shimshon
Are you using Shared SSL setup? It sounds like you haven’t quite entered your settings correctly, and Firefox is complaining!
bcg
Hi bcg,
first let me thank you for this great plugin. I have the same problems as mike and pat.
Using WP 2.7.1 and AdminSSL 1.4.1 with shared SSL – ending in a redirect loop.
Did you need my debug log for diagnostics too? If so I will email it to you.
Thanks in advance,
Jens
@Jens
Thanks for the log – there is obviously a problem somewhere, but I think tracking it down is going to be tricky, given that it isn’t happening 100% of the time. I’ll get my thinking cap on!
Cheers
bcg
Hi bcg,
think, I found the solution to fix the fatal error caused by admin-ssl-test
Alter line 197 inside admin-ssl-test.php to:
require_once(“admin-ssl.php”);
Naturally this will only fix the test, not the loop…
Cheers,
Jens
Hey there,
this plugin is working great for me except that the login redirect is taking me back to http:// rather than https:// in the backend.
This is the redierct url https://www.fairgrounds.org.uk/wp-login.php?redirect_to=http%3A%2F%2Fwww.fairgrounds.org.uk%2Fwp-admin%2F
I added wp-admin/ to the secure list, but this makes no change, should I send you a log?
Thanks
Nathaniel
edit:
I should say that if i put the ‘s’ in the url in the backend, all seems to ork as it should
@Nathaniel
I’m not sure what you mean – do you mean the ‘s’ in ‘https’?
bcg
I’ll try to make it clearer;
when I first go to login to my admin:
http://www.fairgrounds.org.uk/wp-admin
the url is then automatically changed to:
https://www.fairgrounds.org.uk/wp-login.php?redirect_to=http%3A%2F%2Fwww.fairgrounds.org.uk%2Fwp-admin%2F
I enter my details and I am then taken to:
http://www.fairgrounds.org.uk/wp-admin/
I was assuming that the redirect should take me to:
https://www.fairgrounds.org.uk/wp-admin/
If I then log out I get:
https://www.fairgrounds.org.uk/wp-login.php?loggedout=true
an then log in with my details, I get:
https://www.fairgrounds.org.uk/wp-admin/
which is the correct ‘https’ prefix I should be expecting
I hope that makes sense,
Nathaniel
Hi there
I’ve got it Admin SSL working ok, except that I’m stymied by “Security Warnings” in both Firefox and IE on the page I want secured (Order page)
I’ve tried a test page at https://www.FlexiScreens.com/contact/test with almost zero content, but Error Warnings persist. I’ve also deactivated all plugins 1 by 1, no luck.
Any thoughts on what to try next, because I cannot ‘see’ WHAT the non-secure content is!
Hi Ben,
I think I found it:
Have a look at your quantcast stuff you implemented it via http:// (js and img).
The rest seems to be ok from my point of view.
/Jens
Hi all
Sorry I’m really busy atm with work – thanks Jens for looking into this for me! Nathaniel, can you send me a debug log for when you initially log in please? Obviously the first redirect is not working for some reason.
bcg
Hi Jens
Ok, will do that. My tech guy says pretty much every page/image reference needs to be HTTPS to eliminate the Security Warnings – and there is a problem with the Theme we are using which does not allow for relative URL’s – the menu’s are ALL forced to HTTP etc.
He says that this is the problem needing some work;
Anyway, will report on what happens next – success/failure etc.
@Ben
You could try using the ‘additional URLs’ feature of Admin SSL to secure some of these links? I usually use that feature only for admin stuff, but it should work site-side as well, particularly if you have private SSL.
bcg
Hi BCG
Yeah, tried that, but it then applies the HTTPS links to all pages!!! E.g. if I add the RSS ‘feed’ page to “Additional URLs” then the RSS feed is chnaged to HTTPS on ALL pages! That’s not optimal…
Cheers
Ben
Hi there
Well, Jens was partly right – changing Quantcast URL’s to HTTPS was part of it, but we also had to change the Google Analytics URL to HTTPS to resolve the problem of Security Warnings.
Thanks
Your plug-in seems to work great! I only have one minor concern. It seems that since installing your AdminSSL plug-in, that every image I upload includes a https URL. I have checked and can verify that the “/uploads” directory is not in the “URL LIST” section.
This happens each time I upload a picture with a blog posting i create.
Also, there seems to be an issue when the option “you must be logged in to post” is selected, when your AdminSSL plug-in is enabled.
There is no problem logging in, the issue comes when you try to log out. You get a message stating that you are attempting to log out with a link to try again!
@bamajr
Do you have the wp-admin/ folder in the additional URLs list?
bcg
Is there a way to force a wp menu use https
without adding all the pages to the secure urls options box?
Seems like Admin SSL can secure about 97% of the urls in the header but 100% have to be secured or the certificate fails and the lock icon shows up as broken.
The archives links in the header cannot be secured by Admin SSL so I added all of them up to 2011 because I don’t mind those being https.Is it harmful to just remove those from a wp header?
The wordpress shopping cart adds stuff to the header like a var base url that can’t be secured by this plugin either.
I had this working 100% and then I changed permalinks and now it isn’t 100% anymore.