Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
Hi, I want to use the plugin with wordpress mu (2.7), but I get an error saying “Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.”. Am I doing somehting wrong?
I think this might have to do with that I’m running httpd on RHEL (Red Hat Enterprise Linux). It seems to work fine on a debian install. When I turn on debugging it has a lot of ### ADMIN SSL BEGINS ### for ONE page reload! It seems not to understand that it already is https we’re talking..
@Bjørge
It may well be the SSL detection that’s playing up – have you got the right variables on the Admin SSL options page?
I had an error in my configuration resulting in $_SERVER["HTTPS"] not beeing set to “on”. Fixed now.
Another issue:
“Please note that installiation of Admin SSL on WPMU is only possible for Site Administrators”
What do you mean by this?
Can I not secure all admin sites on all blogs?
Regards
Bjørge
@Bjørge
It means that the Admin SSL options will only be available to users with admin rights. It will by default secure the admin pages of all users – but only administrators can edit Admin SSL options (e.g. turn SSL off).
bcg
@bcg
My problem is exactly that; I get ssl on b.uib.no/wp-admin, but not on anythingelse.b.uib.no/wp-admin. I noticed when I turned on logging that this appears in the log file:
Is WPMU: No
Could there have been changes in WPMU 2.7 that makes the variable global $plugins_dir be plugins, not mu_plugins?
Also, the Admin SSL setup configurator appears in the b.uib.no blog, not in the “Site Admin” bar.
Bjørge
I talked to donncha (maintainer of wpmu) and the way you check if you are in a wpmu-install is not the recommended one:
in function is_wpmu you should check for the presence of either function is_site_admin or the variable $wpmu_version
Bjørge
Sorry. It works, I played with a symlink in mu-plugins instead of copying the file. This altered $dir to admin-ssl (should be mu-plugins).
Hi – I’m having trouble.
I secured my checkout page but get the following error:
Forbidden
You don’t have permission to access /index.php on this server.
Apache/2 Server at web103.secure-secure.co.uk Port 443
This is the URL:
https://web103.secure-secure.co.uk/turnkeytelecom.com/products-page/checkout
Have tried it with and without a trailing URL.
@Hampstead
It sounds like there is a problem with your hosting company setup – have you contacted them to ask if they have any ideas?
bcg
Hi bcg,
on March 3rd I was detecting an error in my working enviroment – Using WP 2.7.1 and AdminSSL 1.4.1 with shared SSL – ending in a redirect loop…
Was my logfile helpful and did you get any news by now?
Thanks for the update,
Jens
@Jens
I haven’t had a moment to do any work on Admin SSL for a while now – I’ll try and do some this week maybe, and get back to you. Sorry about that!
bcg
I’m running mu 2.7.1 and private SSL with a self-signed cert during testing. The download is the latest from wp.com.
It is working perfectly with the exception of new blog activations. When I click the activation link in the email, I end up getting sent back to the site home page and the blog never gets activated or created in the database.
I went ahead and activated the debug log. It’s empty.
Any ideas?
@Scott
Can you send me a copy of the two activation emails please, one with Admin SSL enabled, the other with it disabled?
Cheers
bcg
Further to this issue – I found that the activation link works just fine if I disable admin-ssl first. The activation link looks something like – http://newblog.mysite.com/wp-activate.php?key=12345678
I also found that it would work just fine with admin-ssl enabled if I removed the subdomain from the url and directed it right at the main site – http://mysite.com/wp-activate.php?key=12345678
Thanks!
i’ve posted my problem at here : http://wordpress.org/support/topic/265920 ..so please give solutions. thank you so much.
I set up Admin SSL then went to change the options on my theme, Atahualpa, and all I got was a blank white page. Any help?
Thanks,
Kurt
@ Kurt
Hi I have Admin SSL installed with Atahualpa theme on a client’s site and the Atahualpa theme options page does work OK so your problem is specific to your site, not a general conflict between the two.
Hi,
I’m using 1.4.1 with shared SSL and was getting endless redirect loop.
My webhost is 1&1 and when using shared ssl, the blog url becomes https://ssl.perfora.net/myblog.com/. The check “host() !== $url["host"])” on line 186 of https.php was always failing because host() is myblog.com and $url["host"] is ssl.perfora.net. So, I commented out that check to break the redirect loop.
-V
This might help other folks trying to use admin-ssl with 1and1 using shared ssl.
Secure my site with SSL [check]
Shared SSL [check]
Shared SSL URL [https://ssl.perfora.net/myblog.com/wp-admin]
HTTPS Detection
HTTPS $_SERVER variable name [HTTP_X_FORWARDED_SERVER]
HTTPS $_SERVER variable value [ssl.perfora.net]
All options need to be entered without [ ]
@VC: Thanks for your work and for posting your solution!
I can say it works for me to
For the hoster all-inkl you only have to alter
HTTPS $_SERVER variable value to [ssl-account.com]
By now it works like a charme and I want to say thanks again for this great plugin and this solution!
Cheers,
Jens
I am using this on a WP install for a client. Whoever originally installed wordpress didnn’t install WP in the root directory, but rather the directory /wp. but WP publishes to the Root. So if I want to go to the admin I type domain.com/wp/wp-admin. If I want to visit the site I type domain.com.
When I turn on admin SSL it forces a redirect of domain.com -> domain.com/wp/ which produces a 404. It also does a weird rewrite of the URLs in additional URLs. if my URL is domain.com/additional-URL/ it rewrites the URL domain.com/wpditional-URL Notice how it truncates part of the address as it places in the WP.
My question is there any way to get the plugin to ingnore the /wp/ for page level enforcement? I really don’t want to move the WP install as there would be lots of referential issues I would have to untie.
Thanks for the help
Hi, I want to use the WordPress MU Domain Mapping plugin for WPMU. It is made by the lead developer of WPMU. http://ocaoimh.ie/wordpress-mu-domain-mapping/
My problem is that I use Admin SSL too, and the combination of these two fails miserably (redirect loop). Has anyone else had any success in using these together? Using them one at a time is no problem.
I use WPMU 2.7.1.
Hope you have some ideas!
Regards
Bjørge
Same for me. For that reason and for the problem I posted previously about, I ended up using the force SSL Login setting in wp-config.
Hello!
I just installed Admin SSL
I am running WP 2.7.1, latest downloadable Admin SSL with private SSL.
I just can’t seem to get it working :3 whenever I login with https, it says I have an infinite loop. Normal still working fine, plugin enable and I can still browse all areas, just not in SSL (https).
I tried disabling all addon but no dice. I’ve also tried to temporarily disable mod_rewrite, no dice. I’ve also google and people tell me to do silly things such as open and saving options-permalinks.php and yet still no dice.
I’ve read quite a few pages here and no help
? Any help could be appreciated.
Any ideas what could be wrong
I could email you a debug log if that helps.
Thanks again
@Maiev
Have you checked the HTTPS detection server variable key/value pair?
bcg
Hay bcg,
I took some time to examine what you said + previous post
got my answer XD
A.W.S.
8 August 2008 at 11:17pm
Thanks for a great plug-in. I hope this gets rolled into the core WordPress distribution. Especially considering how many people update their blogs on coffee shop wi-fi and other untrusted networks.
I would like to point out that version 1.1 of the plug-in does not work with Apache 1.3 out of the gate. This is probably the issue that @TFB ran into. Basically, Apache 1.3 (which a lot of hosting companies use) doesn’t have the HTTPS variable available. (Look under “specials” in the mod_rewrite 1.3 documentation (http://tinyurl.com/fgsge) and the 2.0 documentation (http://tinyurl.com/kawns) for confirmation.)
Assuming that the hosting provider runs HTTPS over port 443, a fix for this in the Admin-SSL plugin under “Other Settings” -> “HTTPS Detection” is to set:
“The name of the HTTPS $_SERVER variable” = “SERVER_PORT”
(without the quotes),
and:
“The value of the HTTPS $_SERVER variable when HTTPS is ON” to:
“443? (again, without quotes)
I set my HTTPS $SERVER variable as Server Port, then the port being the “actual” port of the SSL, being some weird numbers and got it working
ur plugin rocks! thanks again and sorry to bother u
now just gotta find the donate button XD
Hi, I found a bug in this plugin.
I reported the bug with a patch on WordPress forum:
http://wordpress.org/support/topic/267385
Please look.
@RedGecko
Thanks I’ll look at adding this to the source.
bcg
I have admin-ssl installed. It seems that it’s not possible to open any blogpost via https, but only via http. Is this a know issue of admin-ssl?
Can’t admin-ssl just ignore the url if it’s already secure?
I run into this problem because I also use a Twitter plugin. When I mark a post to be send to Twitter, it automatically created a bit.ly shortcut to the https-url of the blogpost because I’m logged in and working via https.
Hi again,
I found that wpmu-plugin domain mapping adds two actions:
add_action( ‘pre_option_siteurl’, ‘domain_mapping_siteurl’ );
add_action( ‘pre_option_home’, ‘domain_mapping_siteurl’ );
Admin SSL does not add these actions, but some others and some filters.
What I am wondering is how Admin SSL does the redirect to ssl, can you point me to the correct place in the source please?
Domain mapping does it pretty simple, it rewrites it like this:
$protocol . $domain . $current_blog->path
where protocol is https:// or http://
It seems that Admin SSL and Domain mapping is doing redirects that “compete”. Example: I have b.uib.no wpmu install, and test.b.uib.no wants to be mapped to test.com using Domain mapping plugin. I don’t know which one does the first redirect, but it seems this is what happens:
..
AS redirects to https://test.b.uib.no/wp-admin
DM redirects to https://test.com/wp-admin
AS redirects to https://test.b.uib.no/wp-admin
DM redirects to https://test.com/wp-admin
etc.
I have the same exact issue as Jeremiah… any resolution to this?
Jeremiah
4 May 2009 at 10:37pm
I am using this on a WP install for a client. Whoever originally installed wordpress didnn’t install WP in the root directory, but rather the directory /wp. but WP publishes to the Root. So if I want to go to the admin I type domain.com/wp/wp-admin. If I want to visit the site I type domain.com.
When I turn on admin SSL it forces a redirect of domain.com -> domain.com/wp/ which produces a 404. It also does a weird rewrite of the URLs in additional URLs. if my URL is domain.com/additional-URL/ it rewrites the URL domain.com/wpditional-URL Notice how it truncates part of the address as it places in the WP.
My question is there any way to get the plugin to ingnore the /wp/ for page level enforcement? I really don’t want to move the WP install as there would be lots of referential issues I would have to untie.
Thanks for the help
“Admin SSL has ‘erratic’ behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.”
so this is to say then that since my site is setup with a static front page at annamayer.com and that the loop is at annamayer.com/news and my blog is installed at annamayer.com/ibablog that it will not work. correct?
@Brian
Yeah – on the FAQ you’ll see that this is known, but there’s nothing I can do about it, I’ve worked long and hard to try and fix it, but I haven’t managed it so far.
bcg
I installed admin-ssl on my server at http://www.waterswebshops.com yesterday and it worked fine.
Today, we upgraded to PHP 5.2.9 (from PHP 4.4.9) and now I’m getting this error when I turn admin ssl on:
Warning: Cannot modify header information – headers already sent by (output started at /home/watescom/public_html/wp-admin/admin-header.php:17) in /home/watescom/public_html/wp-content/plugins/admin-ssl-secure-admin/admin-ssl.php on line 125
(I turned admin ssl off in the first place because, after upgrading, I was getting an endless redirection and ended up completed uninstalling the plugin (including removing the settings from the database via phpmyadmin.
Can you help figure out how to make the plugin work?
Thank you!
I’m having problems with this plugin and WP2.8, I cannot access the admin page in any way (well, deinstaling the plugin).
And I’ve seen on http://plugincheck.bravenewcode.com/ that your plugin is not working on 2.8 because of some harcoded text, just as an info.
If you need, I’ve a debug file.
Any idea?
Thanks in advance
@JBrinx
Thanks, I’ll look into it – not had much time recently to do any coding at all, sorry folks!
bcg
I can confirm that Admin SSL becomes non-functional in WP 2.8.