Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 1.5-b1, supports WordPress 2.8.
NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Works with WordPress 2.2 – 2.7 (using both Private and Shared SSL).
- Works with WordPress MU 1.3+ (using Private SSL only).
- Forces wp-login.php, wp-admin/profile.php and wp-admin/users.php to be secured. This cannot be turned off.
- Additional pages and directories to be secured (e.g. wp-admin/) can be defined on the configuration page.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
1.4.1 – The latest stable version, with all the above features.
You can also download the development version (1.5-b1), which contains bugfixes and new features as I include them.
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmviii
Thanks so much. This is a huge help!
Ben,
Much thanks! I was going to poke at it, but my PHP is not up to the task.
Except for three small changes for me, it looks good. If I run into any issues I’ll post a comment here.
Thanks,
Jan Dembowski
Thanks for taking the time to update the plugin! It would be great if this plugin would play nicely with the ldap auth plugin located @ http://sourceforge.net/forum/forum.php?forum_id=756461 (or the ldap plugin playing nicely with admin ssl plugin). I guess this plugin isn’t really designed for WPMU, but it works good without the ldap plugin installed. I need both. i’ll keep researching but i might have to dive into the code when I have some time.
Thanks again
Thank you so much Ben, I was in the process of doing this myself, and had just realized that I didn’t have the time nor the skills.
Rossi
deejam:
If you get the chance or find a way to do this, let me know. It looks like it should be possible – but I don’t have an LDAP server to test it with I’m afraid!
Well I’ve managed to secure the dashboard by using the clean_url filter – but at the cost of a JavaScript error.
The problem is that the WordPress Stats plugin calls scripts and stylesheets from http://wordpress.com, and you can’t just switch to https! It’s up to the plugin provider to provide a secure url to their external files, I think.
So unless anyone has anything clever they can suggest, I’m not sure this one can be solved, short of disabling the stats plugin.
Hello,
I don’t find any one with the same problem i have so I hope i’ll find here some help, when I activate the plugin and try to access wp-admin, i get an error with firefox ( bad redirect ), if someone have any idea to fix this, it’ll be very helpful.
Thanks in advance.
Cheers,
DW
DispoWeb:
Are you using an old version of admin-ssl? This was the problem before I updated it to work with WP 2.5.
Or, if you are not using WP 2.5 please use the older version of admin-ssl, version 0.64.
In fact, I’ll update this site so that is made more clear.
BCG
Hello,
I’m using the new version of admin-ssl ( 0.67 ) and wordpress 2.5, it’s really very strange as problem, I don’t find anyone who has the same problem.
Cheers,
DW
DispoWeb:
Did you downloade it from the link, or the SVN repository? Sorry, I didn’t make clear before that the repository is my test version, as I try to fix the Dashboard problem, and so may not work.
Are you using shared or private SSL?
BCG
EDIT: try using the latest version from the repository – as I was testing it I had a redirection problem, when entering a non-https admin url having already logged in.
Hello,
Thanks for your reply, I donwloaded the plugin from your blog and i’m using a private SSL.
).
I can access to my website using https://www.mywebsite.com and https://www.mywebsite.com/wp-admin/ without the plugin but i get the redirection error when i activate it.
Can you drop me an email, I’ll send you the correct URL to see the error ( my english is not very well so it’s better to see the error yourself
Cheers,
DW
After updating from 2.3 to 2.5 and activating admin_ssl.php v0.67, I get redirect errors. It looks like it gets in a loop of redirecting from one fage to another. Removing the admin_ssl.php restores. Just in case I tried redownloading admin_ssl.php v0.67 again and uploading to plugins directory and I ran into same problem after activating. Clicking on a link in the admin area after activation seems to add extra /php/ directory in the target. My blog file is in http://www.mysite.org/php/my_blog/
Dear all
If you are experiencing problems with admin-ssl, please try downloading 0.70-b6. It is my latest development version, that I am using on my own blog, and seems to be working fine so far. I have made a lot of changes to the code, which is why I haven’t released it as a ‘stable’ version.
If you are using Shared SSL you MUST use this version of the plugin as it contains the fix to make admin-ssl work with Shared SSL under WordPress 2.5.
BCG
Hi,
Thanks for updating the plugin. I seem to have a problem though. When I’m editting a post and want to insert a link using WYSYWYG I only get an empty popup.
Any ideas?
Regards,
Joost
Joost:
As I said in the post, there is a problem with TinyMCE itself – you need to edit tiny_mce_config.php in order for it to work under SSL. Please go here:
http://trac.wordpress.org/attachment/ticket/6544/6544.2.diff
to see the patch that you need to apply in order for TinyMCE to work. I’ve applied it myself and there isn’t any problem.
BCG
Hi Ben
Thanks for this, you’ve saved me some work
Question though – do you have any inkling as to what it does to breaks the K2 AJAX comments? Ive suffered that problem since before 2.5, but assumed it was down to my customized theme.
Chances are fixing it probably won’t be too difficult – the problem I have is finding the time to debug…
Mou:
As you probably noticed when you left the comment, I managed to fix the problem!
I tracked it down to comments-ajax.php, lines 30 and 34. They clash with the output buffering used by admin-ssl. If you comment them out, then live commenting will work.
I haven’t had any problems yet, but I don’t like commenting out pieces of code – I’ve asked the K2 guys why there is output buffering there (I can’t see it myself), but no response.
BCG
Thanks so much for this! I hope you keep on updating it and really appreciate it!
BCG,
Thanks for stepping in! admin-ssl 0.64 is blocking comments on , so I was pleased to see you’re actively working on it.
FYI: When I create a new account on my test blog, it sends me to , instead of the correct (configured in the Shared SSL field, and working for admin access).
Have you considered changing the new account email link from http to https? I of course understand if you don’t want to touch this.
Thanks again!
Chris Pepper
Chris:
This is now fixed in 0.71.
BCG
I bcg, thanks first of all for this wordpress 2.5 plugin. I saw before that there is a fix for standard tinymce who comes with wp 2.5. I use http://wordpress.org/extend/plugins/tinymce-advanced/ (3.0 compatible with wp 2.5).
I would like to know if there is a fix also for this one. When i activate admin-ssl and i go to write page, icons of tinymce-advanced are broken even if maybe editor works correctly (i didn’t tested this..)
Thanks in advance
A neat idea, since I have a dedicated SSL on my site. However, when you engage SSL, it affects the WordPress 2.5′s visual editor negatively. The insert link window, for example, is blank, and spell check no longer functions.
Can you fix?
Disabling SSL restores this to normal operation.
Peace,
Gene Steinberg
Hi Gene:
Check out the ‘Known Issues’ section at the top of this post, which explains the problem and gives the solution.
Cheers
BCG
Hi,
Fantastic that you picked up this plugin and got it working! If I may request something – I have been trying to use WP-OPENID, however it does not play nice (unfortunately can’t be more descriptive than that) with admin-ssl.
Would be quite handy if it could be made to work!
Thanks again
I am just working out the changes to use this with the upcoming WPMU 1.5 release and just having some issues since the admin-ssl.php file has cannot be in a subdirectory and every other file can still be in the folder. Any clues? Much appreciated for reworking this plugin! That is great!
Trent
Drumbo:
I’ll take a look when I get the chance – been working on a couple of redirection bugfixes!
Trent:
Can you email me (details here: http://www.kerrins.co.uk/contact/) please with more explanation – where exactly do you want admin-ssl.php? At the moment it expects to be in a subfolder of /plugins/.
BCG
Ben,
Version 0.72 is working really well for me. The only things I change for my site is putting in a if(is_user_logged_in() check.
If the user is not logged in, then I remove the $comment_url and $secure_comment_url from. If they are logged in, leave it in place.
Also for Subscribe to Comments plugin, I put in a check if the QUERY_STRING matches wp-subscription-manager.
The reason I do this is because I am using a self-signed SSL cert. It’s no problem for registered users (the admin) but other people posting might be put off from seeing the SSL cert warning in their browser.
You can see the diff here http://wp.dembowski.net/wp-content/admin-ssl-0.72.diff.
Thanks,
Jan Dembowski
Hey Ben, me again
Suddenly, the plugin’s stopped working for me! I moved to a new web server (Media Temple) which also has a shared SSL certifcate (although accessible via https://mou.me.uk), but for some reason now its giving me the infinite redirection of death!
Or, as Firefox puts it:
“The page isn’t redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”
I’m running 0.72 version of the plugin on WP 2.5.
Any ideas?
Mou:
Redirect errors are difficult to diagnose without more info. Perhaps you could email me with more info, like the URL in the address bar when it happens, if it’s pre or post login, stuff like that. Also, you could try downloading the development version above, which might fix it.
BCG
The issue springs up when I first activate the plugin – ie, as soon as I click “activate”, so to fix things I’m having to rename to Admin-SSL folder. The URL in the address bar is:
https://mou.me.uk/cms/wp-admin/plugins.php?activate=true
But it affects the entire admin area. Anywhere where it should be https as far as I can see.
Firebug is showing the page returning a 302 header… then the page reloads and returns another 302.. and it continues until Firefox either gives up or I try and look at the response tab in Firebug, at which point the browser (and a few other open programs) lock up for a few seconds!
Blog front-end is unaffected.
Tried the latest version on SVN but its giving me the same problem.
Can’t think of anything else offhand. Let me know what other info you need!
Okay, possibly very very stupid question here, but I’m trying to run the 0.72 version of the plugin on wpmu and am having a little bit of difficulty finding the Admin SSL plugin configuration page. It’s possible that this page exists only in wp 2.5 and not in wpmu, for some reason, but if it does exist could someone hit me with a clue? Thanks much.
Mou:
If you have the latest version, please try going to this page:
http://BLOG_HOME/wp-content/plugins/admin-ssl/admin-ssl-reset.php
(Obviously replace BLOG_HOME!)
This will reset the database options and allow you to activate AdminSSL and reenter your Shared SSL settings – the Shared SSL URL should be https://mou.me.uk/cms/wp-admin/.
John:
I’m currently working on making the plugin work with WPMU, I’ll release a version when it’s done, sorry but you’ll have to wait for now!
BCG
Jan:
I’ve added the is_user_logged_in() check but not sure about the subscription manager one.
In the latest development version (0.80-b14), which should be available to download from WordPress.org soon, the subscription manager is not secured – is this the behaviour you were after?
BCG
Ben,
That’s sort of what I’m aiming for.
For the subscription manager if the user is not logged in, then I want the subscription manager to be unsecured. This is because of my self signed SSL cert; I don’t want to turn off or scare the user if they want to modify their subscriptions to comment threads. Those user would not really be admin’ing the blog and their URLs go out via e-mail which is already unsecured.
If the user is logged in (via a check) then I want it to be secured. The idea is that if they are registered and logging in the end user either imported and accepted the self signed cert or they don’t mind the warning. Also logged in users should have their admin secured as just good practice.
Ideally there would be an area in the Admin SSL options screen to put in strings to bypass the SSL admin for non-logged in users ala WP Super Cache’s reject URI entry box, but that would be massively pushing the boundary of feature requests and I’d use up all my “Feature Request Karma in one rip”…
Thanks for all the great work,
Jan Dembowski
Ben,
I’ve just downloaded the development version and that’s great.
The options for secure commenting are exactly what I was looking for, thanks.
Jan:
.
Good stuff, I’m glad it’s working! Your feature request is a great one – I’ll see what I can do
BCG
Dear all
The development version is now 1.0-rc1. It has many new features, which are listed in admin-ssl.php. It supports WPMU on Private SSL (still being tested, but seems ok so far), and has the option to secure custom pages. It has a new and much improved method of forcing HTTPS, and various bugfixes.
I am using it on my own blog, and will fix any bugs I come across. If any of you feel like installing it, and letting me know if you have any problems, that would be much appreciated.
BCG
Ben,
Well I’m definitely kicking the tires
will comment here if I find any problems.
Thanks,
Jan Dembowski
New development version released, 1.0-rc4. This adds full support for WordPress 2.2 and 2.3 (not that anyone still uses them, but hey). We’re getting close, people! All it needs now is more testing on the new WPMU and I’ll release 1.0.
BCG
bcg,
So far it looks like 1.0-rc4 is working great for our wpmu install. I’ll let you know if anything breaks. Thanks a *lot* for this.
jf
Although it works on our main blog perfectly, any sub blog still has non-SSL behaviour. Is it possible to activate the plugin, and then change the default to use a private certificate so that each new blog doesn’t have to enable and adjust settings themselves?
Hi John
Thanks for trying it out. The way to get Admin SSL to work across the whole site is to install it in the /mu-plugins/ directory, rather than /plugins/. Your layout should be:
/mu-plugins/admin-ssl.php
/mu-plugins/admin-ssl/… (other Admin SSL files)
Once installed and activated in there, the plugin is activated across all sub-blogs, because it uses site-wide options.
Hope that clears things up for you! I was going to wait until the release of 1.0 to give installation instructions for WPMU, perhaps I shouldn’t've waited
.
BCG
Hot dog, bcg! Yup, works fine now. A little confused when I didn’t see admin-ssl show up under the plugins tab, but there it is under site admin. My first wpmu install, can’t you tell.
Anyway, thanks again so much for the plugin.
Hi John, glad it’s working for you now! Thanks for the feedback and encouragement
.
Ben,
Just shot you off an e-mail. It’s all good, just seeing some odd errors in my log file.
Thanks,
Jan Dembowski
Ben it is working fine on 2 WPMU installs (one 1.3.3 and one 1.5 RC) so I would have to say it is fine
Perhaps this has been covered already, however I wanted to know if it is possible to stop admin-ssl adding https to images added via the “create new post” option. The only way I can see to get rid of the “s” is to use an external editor (although if one goes back into editing the post via the web, the links will appear to still be secure, however if no changes are made via the web, the links will actually not be secure). Does this make sense?
Drumbo:
Thanks for your post – I have seen this problem. Unfortunately WordPress seems to insert relative, rather than absolute links. The only way to solve this is to use the development version of the plugin (currently 1.0-rc10), which is very stable and about to be released. If you install the dev version, go to the Admin SSL config page, and remove ‘wp-admin/’ from the additional pages, this will make the images work again.
The new behaviour of Admin SSL is NOT to secure ALL admin pages by default, but only wp-login.php and wp-admin/profile.php. This is because of speed issues, and because there is no need in most situations to secure every single admin page. It also has the advantage of fixing this annoying image bug!
Cheers
BCG
Hi, Thanks for the response. Will give the rc version a whirl
I have released version 1.0! Thank you for all who have helped test this version, and who have suggested features – Chris Pepper, Jan Dembowski, Mou and Trent especially.
If you have been using any development versions of Admin SSL between 0.72 and 1.0, please reset your Admin SSL database options before or immediately after installing version 1.0, or you will get a redirect error
.
BCG
You have done a fabulous job on Admin SSL! Your work is much appreciated, and I like the new options in release 1.0.
I am having a small problem and can’t quite figure out how to fix it. I have added custom pages and when I turn on debug, I can see that it is adding 2 forward slashes when it uses the custom pages which breaks the links. Any chance you have a suggestion for a fix?
Thanks!
Ryan
Hi. You’re plugin looks like exactly what I need, but I am cautious…. since it sounds like some folks may be having problems with the new release. Also, I am only interested in securing the log-in page. Is it possible to limit the plug-ins uses to just that?
And, yes, in case you are wondering, I am a complete novice with these particular things.
Any help appreciated. Thanks!
Hi there
The new release works fine, as long as you don’t have one of the cache plugins installed
. The redirection problem mentioned in the previous comment before yours will only occur if you use the ‘use a different blog url than the installation directory’ feature.
Hope that helps! Many people, including myself, use this on our blogs successfully. To secure the minimum number of pages (wp-login.php and profile.php), simply delete all the entries in the ‘Additional URLs’ box on the config page.
BCG
Wonderful plugin! Many thanks indeed!
I did run into one issue though. In a peculiar application, some of the file links on the page were NOT https. (These were some java script links.)
Today I noticed a plugin (http://wordpress.org/extend/plugins/https-for-wordpress/) mentioning this issue.
Do you plan a fix to this bug? (Perhaps I have to install the other plugin meanwhile.)
Again, much thankful for your hard work. I am enjoying your plugin very much! (Hopefully, so do some visitors to my site.)
Hi Peter
Thanks for using the plugin and posting – I’m glad you’re finding it helpful! The ‘bug’ you mention is not really a bug in Admin SSL, but in the plugins themselves that aren’t able to distinguish between HTTP and HTTPS.
If plugins load CSS or JavaScript dynamically, rather than including them in the page HTML, then there is no way I can find for Admin SSL to change the links to be HTTPS. I have been looking into it, but I just can’t find a way!
BCG
Ben, thanks again for the hard work on this plugin and for working with me on securing just the pages that need it. It is working great on WPMU both version now without a hitch and page loads in the admin are 4 times + faster without every page being secured. I like that I can even add “plugin” generated pages to secure
I am also happy to help you and donating something next!
as soon as i got to enable the plugin, the server will reply that my site sent an invalid error code ., error: -12263 whats that mean?
Hi Joseph
The problem is with your SSL certificate installation, rather than Admin SSL. Try here:
http://howtoforge.com/forums/showthread.php?t=18118
Or contact your hosting company for more information.
BCG
Hi BCG,
Just want to say “thank you”. It’s a great and valuable plug-in.
Hi,
today I installed your plugin (WP ‘automatically’ updated it to 1.0.4, so I should have the latest version, I think). The problem is that I am getting
The page isn’t redirecting properly
Iceweasel has detected that the server is redirecting the request for this address in a way that will never complete.
There should be no problem with SSL. I am using private SSL and when accessing the admin section of my webpage with https, everything works fine. The error I am getting only on the pages that are should be secured (wp-login.php and wp-admin/profile.php), for example when I do log-out.
Oops… stupid me didn’t read fully to post my issues here. I already wrote a nice long write-up of an issue I’m having with some weird redirecting issues when using Shared SSL in which the “/wp-” portion of the URL is being dropped. I posted all the details at http://wordpress.org/support/topic/178602.
Looks like a nice plugin. Now only if it would play nicely.
Sounds like there are some funny redirections going on here, perhaps introduced with 1.0.4.
If you could reset your options (instructions on the Reset page above), and then try, to make sure it isn’t a strange config option problem (that’s happened before).
If it still doesn’t work, could you enable debug mode, following the instructions in the FAQ? Then follow the steps you are having trouble with, and email me the debug log file (webmaster AT kerrins DOT net), which will enable to pinpoint where the error is going on.
Cheers
BCG
Is it possible to password-protect the whole site with this plugin? If so, how?
Antonio:
Sadly not – the best way to do that is to set the blog address to https:// – then WordPress itself will force the whole site to be HTTPS.
BCG
Hi,
This is probably a bit too on the edge, however I have svn’d the latest version of wordpress (which is 2.6 bleeding2) and I notice that the admin-ssl plugin is now doing the redirects the whole time.
Is there any possibility of getting an idea on how to fix this?
Thanks
hi Ben,
thanks for this great plugin. i installed it with no problems at all.
i wonder, can we make a rewrite rule that shuttles all traffic to wp-admin to the secure host?
i’m trying to follow the instructions on http://codex.wordpress.org/Administration_Over_SSL but no luck.
my wordpress address is: http://www.myexample.com/wordpress/
thanks a lot
Drumbo:
I’ll take a look, but the problem could be with WP 2.6 of course!
Soyuz:
Try adding ‘wp-admin/’ to the ‘Additional URLs’ box on the Admin SSL config page.
BCG
Hello Ben, thanks for this great plugin. i installed it but I have problems.
I installed last version 1.0 of your plugin and last WPMU 1.5.1
I upload admin-ssl.php to /mu-plugins and rest of files to /mu-plugins/admin-ssl
I go to Site Admin, Admin SSL and I check “Secure my site with SSL”.
My url blog is like http://blogs.company.com and if I try to login works 100% but I create another blog (http://blogs.company.com/blogtest1) when I try to login I get Error 404 Not Found.
Sergio (and others):
Thanks for reporting this, I’ll look into it when I can – my wife and I are about to move house (on Monday) so development on the plugin has stalled a little while we prepare for that, and actually move!
BCG
hi, it’s me again
i have another questions.
1. sometimes when i access my wp-admin, the https:// on the url became http://. so i usually reset the admin SSL and re-activated. i use WP 2.5.1
2. i also realize that when the url is https:// the post-slug didn’t work. i couldn’t edit the slug. is it related to a bug from the plugins that aren’t able to distinguish between HTTP and HTTPS, as you mentioned in the earlier comment?
and thanks again for the great plugins!
Soyuz:
I’ve just fixed bug (2), which will be included in the next release, once I have confirmed some other bugfixes. As for the first one, have you worked out how to make it happen, or is it random? If it is not random, could you enable debug mode (see FAQ) and email me the debug log please?
Sergio:
Can you confirm you are still getting this error? I am not having a problem with WPMU 1.5.1 and Admin SSL 1.0.4. Please email me with more info if you are still having trouble.
BCG
Sorry, solved in 1.5.1, I don’t have in virtual directory:
AllowOverride FileInfo Options
Solved and working ok in 1.5.1 and 1.3.1 with LDAP Auth too, now my problem is with LDAP Auth in 1.5.1.
Thanks for all.
hi,
thanks for the reply. and thanks for fixing the bug(2). really appreciate it.
for the first problem, it’s random. but i think that’s my mistake. i didn’t upload admin SSL plugin on the httpsdoc folder, only on httpdoc. after i put the admin SSL to my httpsdoc, the url is always https and never changed to http since then. silly me
. sorry to make you worried.
thanks again and i look forward to the next release.
Hi,
Just to let you know I have downloaded the latest svn version and it isn’t working with 2.6 svn version. It is no longer doing the continual redirect, however it seems to authenticate, and then go back to the login in screen. If I go back to the main page (front page of my blog) I can see that I have been logged in, however if I click on the admin link, it attempts to go to the admin section, but is redirected to the login page! Hope that makes sense
Drumbo:
Thanks for the heads-up – I think I’ll probably wait until a RC of 2.6 before I really look into it – there’s no point ‘fixing’ a bug that disappears in the final release!
Cheers
BCG
Hi,
I find that the redirect after clicking login wont work.
I can see this is due to two letters being added to the redirected URL. This occurs after the ‘type’ suffix, e.g. “.com/wp-admin/” becomes “.comds/wp-admin/”
However, I cant seem to find anything in WP-options that is adding the last two letters of the sub-domain that I have WP in.
I have checked the database and the standard URL is written correctly in all the setting.
Any help would be great.
Thanks.
I am using Admin SSL 1.0 with WordPress 2.5.1 and private SSL. Generally it works great but as soon as I enable Admin-SSL, using the site with SSL is impossible. If someone tries to reach the site via https://my.blog, he is redirected to http://my.blog . Is there any posibility to have both, SSL-secured login and optional SSL at the rest of the blog?
first, wanted to say good work with the plugin i’m sure.. it’s a nice feature to have.
now, that said, i haven’t been able to enable it on my site. i’ve downloaded it (1.05), activated it, and tried to configured it via the setup panel but, when i click “save changes” i’m being prompted to “are you sure you want to do this?” but not given the option to say yes. the only thing i can click on that page is “please try again”.
any help would be appreciated. thanks again for all the efforts..
Tony:
Are you using the latest version (1.0.5)? If so, could you read the FAQ, enable debug mode and send me the log file please, so I can troubleshoot the problem?
Hoshpak:
Unfortunately WordPress forces its URL to be what you enter in the General Settings tab, so SSL will NOT work for blog pages, only for admin pages. If you want your blog to be secured, you can only do this by changing the URL in the WP General Settings – but this will of course secure your entire blog.
Paul:
This error happens when you try to submit to a WordPress page from another unverified domain name. E.g., you are signed in to myblog.com, and try to submit to myblog.com/wp-admin/settings.php from, say, somesite.com/wp-settings.php. Perhaps you also could enable debug mode, and send me the log file to help me troubleshoot?
Cheers
BCG
bcg: Thanks for your reply. I hope this will be fixed in WordPress 2.6.
ssl plugins wordpess – mu problem ?
Bayan:
Not as far as I’m aware. Is there a specific problem you’re having?
@Hoshpak and @bcg:
I think with some hacking around the URL scheme replacements (I’m thinking specifically line 347), if you don’t change the scheme if it is already https ever (so you never go https->http), you can make the site https optional.
Craig:
Thanks for your comments – the reason this won’t work site-side is wp-includes/canonical.php, which forces site-side links to be the URL defined on the main Settings page.
If Admin SSL tries to make a site page secure, then there is a never-ending redirect as WordPress and Admin SSL keep redirecting.
The way to do this would be to do some checking using the ‘redirect_canonical’ filter, to stop WordPress redirecting – but I haven’t had time to do this yet, it’s on the feature list for 1.1.
BCG
Hoshpak and Craig:
I think I’ve cracked it – try downloading the development version above (1.1-rc3) and adding a site-side URL to the Additional URLs box on the config page.
It works for me, on both private and shared SSL. Let me know what you think.
BCG
It works great – Without changing any settings, I’m able to go to the site in https, and it doesn’t kick me back to http! Most excellent
Works great for me as well. Thanks @cfg.
Do the recent changes in 2.6 regarding SSL remove the need for this plugin? http://boren.nu/archives/2008/07/14/ssl-and-cookies-in-wordpress-26/
@Craig:
If you want your entire admin area to be secured, then the new 2.6 feature will do that for you. However, I am still working to update Admin SSL because WP 2.6 does not support shared SSL, and nor does it support the securing of individual URLs.
I have however emailed Ryan to suggest that some of the features/code from Admin SSL are included in 2.7.
BCG
Hi,
can I use IP instead of domain when entering shared ssl directory?
I always close out myself, I dont know which is my main host domain and ssl certificate where my domain is.
sorry for my bad english
@Seany:
You can enter whatever you like, as long as it works when you put it in the address bar of your internet browser
. Domain names are basically IP addresses anyway. Go to http://216.234.124.195/ and you’ll see it is the same as going to http://www.kerrins.co.uk/.
bcg
After struggling with this plugin for a long while I come to realize my host doesn’t have the environment variable SERVER["HTTPS"] set even if the request comes from https. The port is 80, not 443. How can that be? The browser shows the padlock icon if I browse to a test page using shared SSL but the environment variables show:
_SERVER["SCRIPT_URI"] = https://server123.myhost.com:80/~myuser/test.php
_SERVER["SERVER_PORT"] = 80
_SERVER["HTTPS"] =
_SERVER["SSL_PROTOCOL"] =
Any way to key off the SERVER["SCRIPT_URI"] variable instead of
SERVER["HTTPS"]?
@TFB:
If you’re using 1.1, change line 158 from:
return(isset($_SERVER[$https_key]) && $https_value === $_SERVER[$https_key] ? true : false); }
to
return(substr($_SERVER["SCRIPT_URI"],0,5) === “https” ? true : false);
That should sort you out.
bcg
That did it. Thanks a lot for your help. I’m still not sure why my host doesn’t set the SERVER["HTTPS"] variable for shared SSL. They told me that’s the way it is on their servers. For others who run into a redirect loop on shared SSL, check the $_SERVER["HTTPS"] variable! Anyway, thank you for the great plugin!
Dear all
I have updated the development version of Admin SSL to support WP 2.6 (eventually!). If any of you would like to try it out and let me know if it works, or not, I would be very grateful. I’d especially like testing on Shared SSL setups. It works fine for me on my test server, but you never know!
Cheers
BCG
I tested the latest development version with my 2.6 blog an unofrtunately it doesn’t seem to work. I am using the shared ssl provided by hosteurope (available under https://ssl.webpack.de) and when I enter https://ssl.webpack.de/blog.mydomain/wp-admin/ I end up in an infinite redirection loop. I tried using https://ssl.wepack.de/mydomain/blog/wp-admin/ instead and it doesn’t cause a redirection loop but won’t let me enter the login page either. I am just being redirected to the homepage of my blog.
Hi
I installed your development version on a new 2.6 wp version and it works fine with a private SSL.
Redirect http://../wp-admin to https//../wp-admin
Just curious doesn’t 2.6 offer the same feature as your plugin.
I thought it did, but couldn’t get it to work.
However when I installed your plugin it works fine.
Thanks
Sherif
@Hoshpak:
Can you follow the instructions on the FAQ page to enable debug mode and email the log file to me please? That will tell me which bit of the code is causing the redirect loop.
@Sherif:
Other people have emailed me with problems with WP 2.6′s SSL implentation – it is quite rough around the edges.
BCG
Thanks for a great plug-in. I hope this gets rolled into the core WordPress distribution. Especially considering how many people update their blogs on coffee shop wi-fi and other untrusted networks.
I would like to point out that version 1.1 of the plug-in does not work with Apache 1.3 out of the gate. This is probably the issue that @TFB ran into. Basically, Apache 1.3 (which a lot of hosting companies use) doesn’t have the HTTPS variable available. (Look under “specials” in the mod_rewrite 1.3 documentation (http://tinyurl.com/fgsge) and the 2.0 documentation (http://tinyurl.com/kawns) for confirmation.)
Assuming that the hosting provider runs HTTPS over port 443, a fix for this in the Admin-SSL plugin under “Other Settings” -> “HTTPS Detection” is to set:
“The name of the HTTPS $_SERVER variable” = “SERVER_PORT”
(without the quotes),
and:
“The value of the HTTPS $_SERVER variable when HTTPS is ON” to:
“443″ (again, without quotes)
This seems to work on my setup:
WordPress = 2.6
Admin-SSL = 1.1
Apache = 1.3.41
PHP = 5.2.6
(Now in @TFB’s case, this wouldn’t work since his host is running SSL over port 80, which is kinda weird. If it is any port other than 80 though, this should work.)
I installed the development version 1.2-rc1 on wordpress 2.6 in a shared SSL hosting, but found this problem.
When I entered the following url to the Shared SSL URL field, the admin login page didn’t work.
https://www.mydomain.com/~myusername/blog/wp-admin/
If you view source of the admin login page, “~myusername/blog/” appeared twice in the links.
https://www.mydomain.com/~myusername/blog/~myusername/blog/wp-admin/
Now, I changed the http://www.mydomain.com to http://www.hostcompany.com, it worked!
https://www.hostcompany.com/~myusername/blog/wp-admin/
@Steve
If you entered
https://www.mydomain.com/~myusername/blog/wp-admin/
into Admin SSL’s config it is no wonder it didn’t work – you must enter the correct shared URL:
https://www.hostcompany.com/~myusername/blog/wp-admin/
into Admin SSL. Then the links will be correct.
Or am I not understanding your query properly?
BCG
hi. Thanks for plugin
perfect.
Regards
bcg,
https://www.mydomain.com/~myusername/blog/wp-admin/ is a valid shared URL.
Similarly, when I changed mydomain.com to myotherdomain.com that host in the same shared-hosting server, it was also a valid shared URL and it worked.
However, the “~myusername/blog/” part is duplicated if mydomain.com is the TLD that host the wp.
Steve
@Steve:
Perhaps you could enable debug mode and send me a log file from when you load a page with the double links?
Cheers
BCG
Ben,
You mention that in order to make the plugin work with WP 2.6 you had to disable the new WordPress authentication cookies and use the ones from 2.5
Could you just give a hint how to do that?
Thanks!
@Christoph
Admin SSL does this automatically for you. Sorry for not making that clear!
BCG
Thanks for the clarification on the authentication cookies.
Sadly, I seem to be one more person suffering from redirection issues. Neither the normal version nor development seem to work for me. Any idea?
@Christoph
The thing to do is enable debug mode and view your site with Admin SSL enabled so it redirects, and then email me the debug file. The instructions are in the FAQ.
Ben
Hi, I followed your instructions for WPMU and I am getting a failure. Error message below.
It seems as though WPMU is choking because admin-ssl.php was copied outside of the admin-ssl folder and put right into mu-plugins.
Any advice?
Warning: require_once(includes/debug.php) [function.require-once]: failed to open stream: No such file or directory in /www/hosts/sitedir/docs/wp-content/mu-plugins/admin-ssl.php on line 56
Fatal error: require_once() [function.require]: Failed opening required ‘includes/debug.php’ (include_path=’.:/php/includes:/opt’) in /www/hosts/sitedir/docs/wp-content/mu-plugins/admin-ssl.php on line 56
fyi, it is faling on wpmu 2.6.1 .
@Klark:
This will be fixed in 1.3.1, which is about to be released.
If you need it urgently, please download the development version, which is 1.3.1-b2.
Cheers
BCG
I don’t understand the installation instructions. It says to ‘upload Admin SSL files to: /wp-content/mu-plugins/admin-ssl/’
1) Do I create that directory manually and copy everything from the .zip file into that directory? The .zip file is named ‘admin-ssl-secure-admin’ so I’m guessing you don’t copy the unzipped archive into the mu-plugins directory?
2) I then move the ‘admin-ssl.php’ file from mu-plugins/admin-ssl to mu-plugins or do I leave a copy in the admin-ssl directory?
3) When I put admin-ssl.php into the mu-plugins directory it fails because it cannot find the /include directory (because it’s one directory below). If I copy the entire contents of the archive directly into the mu-plugins directory it fails to load a page because it says it cannot find the WP Config file.
Any ideas?
sfguy808:
This is the discussion I just had with Klark – please download the development version (1.3.1-b2) from the link above.
1) unzip .zip file and copy ALL contents to /admin-ssl/ directory.
2) move or copy admin-ssl.php, it doesn’t matter.
BCG
Thanks – your fixes worked great! Thanks for supporting the code so efficiently!
So, this worked up until a couple of months ago, but now you’ve broken it – activating the plugin on WordPress 2.5.1 clean install … nothing happens, plugin doesnt work, and there is no management page for this plugin. Disappointing
.
I guess those changes you made to try and fix it for 2.6 have broken it for 2.5.
I am now going to try and use archive.org cache to find an old version – one which works
.
Is there a way to get on some mailing list for updates?
@adam:
I have a test setup for 2.2, 2.3 and 2.5, which are all clean installations, with no options set, no plugins installed except Admin SSL, and all three are working fine with 1.3.1.
Are you on Shared SSL? The link to the Admin SSL options page is to the right of the ‘Plugin Editor’ link by default. It won’t do anything until you set the options there. If that link isn’t appearing, I’ll need to do some more investigating. Please email me with more info.
@sfguy808:
Do you mean notification when new versions are available? Because WP 2.6 should tell you that. If you mean new comments, there should be a comments feed (link at the top of all the comments). At present I don’t send out mailings to anyone – but if you don’t want to subscribe to a comments RSS feed, you can subscribe to an email list when a new comment is posted – use the link underneath the ‘Leave a Reply’ box.
Cheers
BCG
LOL my other plugins all place their management pages under the “manage” section rather than the “plugins” section, which is why I couldn’t find the management page
. Doh. Sorry.
However, every time I try to enable it, I get this annoying error message and nothing happens:
“Are you sure you want to do this?
Please try again.”
Um, yes, of course I’m sure. What do I have to do to prove it to you?
Hi Adam
This is a WordPress error, when the ‘wpnonce’ values do not match. Are you trying to access your pages over SSL *before* activating Admin SSL, i.e. when you are on the Admin SSL options page to enable it, does the URL begin https://?
I have seen that error in that situation. Otherwise, try clearing your browser cache etc etc.
BCG
re: accessing over SSL – yes, I was.
But, trying again, accessing not over SSL, I get exactly the same error.
Ben,
After configuring your plugin incorrectly I had to do a reset. First I just deleted the plugin from /wp-plugins/ but found that I whenever I put it back and reactivated it, I was locked out of the blog. Then I followed your second reset suggestion: going to http://BLOG/wp-content/plugins/admin-ssl/admin-ssl-reset.php. After doing this, I was able to reactivate the plugin without being locked out, but now for some reason I can’t seem to find the link to Admin SSL config page. Is it supposed to be at /wp-admin/options-general.php? Not seeing it there nor at /wp-admin/plugins.php. Would config page no longer be displaying because of something I did in my reset proceedure?
Thanks.
@aalynx
The config page should not be affected by the Reset – by default it appears on plugins.php (next to Plugin Editor, and Akismet if you have it enabled).
If it is not there, then there must be another problem!
BCG
Ben,
Thanks for the reply.
No. It’s definitely not there. I was certainly able to get to the config page before I screwed things up by choosing the private rather than the shared option. I will keep trying to figure it out.
@aaylnx
Try using debug mode – if you can’t figure out if the log file is helping, you could always email it to me.
You could always try reset method #4..? Delete Admin SSL, all the options from the DB, and reload using a fresh download from wordpress.org?
BCG
Ben,
I have it working now. The link to the config page was definitely missing. On a whim, I thought I’d try reset method #3. After doing this, the link to the config page reappeared. Now the plugin works perfectly! Thanks so very much for your work. Now the login to our church wordpress site, http://providencepres.com , is secure
If anyone else has this problem, try resetting method number 3.
Hi Ben,
I installed AdminSSL and followed the instructions as instructed but I get an error once I log out I enter the URL as
https://www.d-w-harvey.com/wp-admin/
but still no result.
@David:
What is the error that you are receiving? Can you enable debug mode (instructions on FAQ page) and email me the log file? This will help me to troubleshoot your problem.
BCG
HI Ben,
I have the problem resolved now. it was due to my domain not having an SSL certificate, and I didn’t know the path to the shared SSL for my host.
I don’t understand the point of Admin SSL :
Admin SSL VS SSL is ?
Is it essentially a reconfigured mod_rewrite or something?
Why if I apply a dedicated ssl cert or a shared ssl cert to myblog.com (where WP is) ….why wouldn’t it work without this plugin?
WP: wordpress 2.6.2
Type: Shared SSL
Host: 1 and 1
@Bob
Why don’t you try, and you’ll find out! If you want to access every single wp-admin page using SSL, then WordPress 2.6 will do this for you. If you only want to secure the login page, WordPress 2.6 will do this for you. But only if you have Private SSL.
However, if you want to secure individual pages but view the rest over a standard HTTP connection (much faster) you will find that with a Shared SSL setup you cannot do this, because the WordPress cookies will only work on the domain you used to sign in.
Apart from anything, this plugin does what many other plugins do: they provide functionality that is easy to use, rather than having to learn how to use mod_rewrite, or PHP. You can certainly achieve much the same with .htaccess files, but I think you’ll find Admin SSL is much easier to use!
Hope that answers your question.
BCG
Thanks for the feedback, I do have a shared SSL option but I haven’t turned it on yet at 1and1.
I’m trying to sort out with their support if using the shared SSL they offer will force me to use an arcane web address like performa.ssl.2289.myblog.com rather than myblog.com- as it is now.
i wonder if anyone uses shared ssl without having the arcane web address.
Hi, having tried to find a solution to allow a secure connection via a shared SSL to my site, I’ve now trying out this plugin.
So far its good – but I seem to have a problem.
I can secure ?page_id=127 but not when permalinks are set. ie /shipping-rates/ (using it for my tests) doesn’t appear to work.
What is the correct format for adding additional urls when permalinks are set? I don’t mind if it isn’t possible, as I can just add a link to view the secure version of a page. But it would be nicer if it was possible.
@Bob
Unfortunately that is how Shared SSL works – you share a central server which has a valid SSL certificate. That is why many hosting companies can offer it for free.
@Rich
Do you use Shared or Private SSL? I have Private SSL on my site, and it works fine, simply entering the portion of the URL after my blog URL.
So, to secure all my 2007 posts, I simply add 2007/ to the Additional URLs box on the Admin SSL config page.
BCG
I was using a shared SSL – so will have to test again.
Though I was looking at adapting your plugin for another use – which I no longer need to do – so it might be a while before I test it out again.
nice plug-in. Useful. Thanks for share.
Yay! – just upgraded to version 1.3.2 (from 1.3.1) and it’s now finally working!
There was one bug, in that if you have the checkbox for only secure URLs when user logged-in checked, then it won’t let you modify the list of custom URLs (you hit save changes, it reloads page, and all your changes have been reverted), but unchecking that alllowed me to edit the list again.
Thanks
Hi,
I’m trying to decide if this plugin is the solution I’m looking for. On my WordPress site I have 2 pages, which each contain a single form (sensitive patient healthcare and history information). These forms need to be secured via SSL (I have access to private or shared), but I’m not sure how to do that in WordPress. At first I thought this plug-in would be the solution, but after reading more it seem it just secures the admin pages or possible other PHP files–e.g. not individual WordPress pages. Is it possible, using this plugin or something else entirely, to secure individual WordPress pages using a SSL certificate or do I need to be looking in another direction? Any help from anyone would be greatly appreciated.
@Mike
Absolutely – if you have Private SSL you can secure individual URLs – that is why the box is called ‘Additional URLs’ rather than ‘Additional Pages’.
So, if you wanted to secure site.com/blog/some-secure-page/ you would add ‘some-secure-page/’ to the Additional URLs box.
BCG
Great plugin, thanks. I have one request though (and it may already be possible): Can this be toggled on and off via a constant in wp-config?
I do all my development locally before deploying to production servers and frequently take copies of the production databases for local use. When I do this, my Admin SSL settings are obviously enabled on my dev environment where I don’t have SSL set up, as it isn’t needed.
I’m envisioning something like a boolean WP_ADMIN_SSL definition. This will allow users to wrap it in conditionals and only have it enabled on certain environments (by checking the value of $_SERVER['HTTP_HOST'], for example), and not use it when it isn’t desirable.
(I realize, of course, that I can simply set up SSL locally as well, but I think a wp-config option would a much more practical solution.)
Thanks. Feel free to e-mail me if you have any questions or need clarification about this use case.
@Kenn:
This could work – but only for Private SSL. I’ll see what I can do for the next release – I need to check compatibility with WP 2.7 as well.
BCG
Great, thank you!
I’m testing this plugin on our VPS with a shared SSL cert.
The shared SSL cert. is attached to the main domain on our VPS, PodVenturesMedia.com (a WordPress site).
The plugin version is 1.3.2.
My Browser is FireFox v3.0.3.
Under the Admin SSL settings page, the
Shared SSL URL is: https://podventuresmedia.com/wp-admin/
The test site on the VPS is Hush-T-Scape.com running WordPress 2.6.3.
When I log into the dashboard at http://www.hush-t-scape.com
the dashboard opens but without an SSL lock.
When I try to log into https://www.hush-t-scape.com (securely)
I get giberish as expected.
Any help you could provide would be greatly appricated
as we’d like to use this plugin and see it’s value in securing
a WordPress site.
John
Hi John
The default behaviour of Admin SSL is to secure the login process and user profile pages, not the entire wp-admin folder.
It is possible to do the latter, but I felt the performance hit is not worth securing every single page, but only those with passwords/confidential information on.
Can you confirm that the login process is secured with your Shared SSL?
bcg
No I cannot verify the “lock” at the bottom right
using FireFox indicating that the connection is not secure.
The test setup on the VPS with the Shared SSL Cert on PodVenturesMedia.com
a) we are testing hush-t-scape.com/wp-admin
b) the “umbrella” company is podventuresmedia.com so the SSL is issued to it and NOT to the particular URL being tested. It is a “shared SSL” cert.
c) there are MANY URLs on the VPS with their own account and under the company – that will use this plugin (assuming it works).
1) We are wanting to use the plugin with the Shared SSL Cert for any of the WordPress sites on the VPS.
2) We’re only needing to protect the login and as the plugin has been designed to do.
Other possibly useful information:
And when I logout, the URL is:
https://hush-t-scape.com/wp-admin/ and with a “lock” in FireFox and on the screen with the expected Warning: Unknown: open_basedir restriction in effect.
When I attempt to log back in at http://hush-t-scape.com/wp-admin/
It logs me in automatically without asking for my password
which is not been set to be “saved.” ???
Note:
Under the settings for the Admin SSL plugin and
for the Shared SSL URL
Per our tech support at our VPS hosting company,
it is “https://hush-t-scape.com/wp-admin.
They said that although the cert. is issued to podventuresmedia.com
which is the main site on the VPS and our company URL,
the plugin’s Shared SSL URL setting should be set in Hush-T-Scape.com for the site that’s using the plugin:
https://hush-t-scape.com/wp-admin.
I really do appricate your work on the plugin and
your response to my email.
John
The plugin is great. I found one issue wth version 1.3.2. If you are using nextgen gallery and you select show slide show, it invokes the jw image rotator (flash) with an url feed like
http://talon.bogometer.com/wp/wp-content/plugins/nextgen-gallery/nggextractXML.php?gid=7
This will invoke the nextgen gallery plugin file nggextractXML.php.
It will go for wp-load.php in 2.6 which causes the init function of admin_ssl in https.php to run. That sets up as_ob_handler to run later as an output filter. When as_ob_handler is subquently called, the routine get_option (for get_option(”home”) or get_option(”siteurl”)) is not loaded for some reason. That causes the generation of the xml to fail for nextgen and so no slide show
I kludged around it with
if (!defined(’get-option’)) return $buffer;
But you may want to look into it.
@Shane:
Thanks very much – I’ll have a look into it!
BCG
Hi,
I need to secure an order page here:
http://www.logoquality.com/order/logo-design/order-logo/
The problem I have is that my wordpress is in the directory wordpress.
When I put my URL to secure in the box like:
order/logo-design/order-logo/
The Admin SSL tries to secure:
https://www.logoquality.com/wordpress/order/logo-design/order-logo/
This does not exist like this though.
Can I have SSL work on this page or not? What do I need to get it to work?
Thanks.
@Simon
Admin SSL will not work when you have wordpress installed in a different directory to the URL – strange things happen in the interaction between Admin SSL and WordPress, as you have discovered. I have spent a long time trying to work around this, but simply cannot get it to work.
BCG
Using Stable tag: 1.3.2
I tried to reset the plugin http://www.kerrins.co.uk/blog/admin-ssl/reset/
Second way: visit admin-ssl-reset.php
I and it appeared to work. The plugin was disabled at the time, but when I re-enabled it, the Admin SSL option was gone. I tried deactivating, deleting the plugin, and re-extracting it, but that didn’t work.
I was going trying everything I can think of because it doesn’t appear to be working. I’m using WordPress 2.6.5.
I’m trying to use shared SSL on BlueHost.com in order to get WP e-Commerce to work http://www.instinct.co.nz/e-commerce/securing-wordpress
BlueHost can only do a dedicated SSL for you primary domain, which is not the one I’m using. I don’t know if that has anything to do with why SSL Admin won’t work either. I am using the shared SSL URL.
I say this is not working because none of my pages appear to be encrypted, except for when I logout I get a 404 page on found error and the secure URL with my account name and WordPress site name in the URL show up.
In WP e-Commerce plugin admin panel there is a page to configure customer payment options, but it shows up as
Note: Please put this link to your Google API callback url field on your Google checkout account: http://mydomain/index.php
Google won’t accept a URL without an https
I have tried using the same shared URL string that is used to configure Admin SSL, but that returned errors.
Again, I have the problem that I have messed with this until the Admin SSL options disappeared from the Admin panel for the Plugins.
Any suggestions? :’(
@Amapola
Have you tried the third way? If you change the ‘RESET’ constant to ‘true’, and then enable the plugin, this will ensure that all Admin SSL’s options are reset – the other methods may not be working for you.
Other than that – I have no experience of the e-commerce plugin, so I can’t really suggest anything. Admin SSL works fine with Shared SSL on its own, but interaction with other plugins may well cause things to act in a strange way.
BCG
Well, it looks like I’ve mucked up things pretty well now. I tried to sign it, but it says:
“Redirect Loop
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”
I deleted the plugin, but WordPress didn’t deactivate it. I got the same error when trying to sign in again.
I tried re-extracting the plugin, and then the Third Reset Method:
Changed define(“RESET”,false); to define(“RESET”,true);
I guess I will have to hack the plugin out of the MySQL database using phpMyAdmin, or restore my database from backup.
@Amapola
The redirect error normally comes when there is a spelling mistake or something in the Shared SSL URL – there hasn’t been a redirect bug in Admin SSL for several months now.
The other way of stopping the redirection is simply to delete the Admin SSL files, and use one of the option manager plugins to remove all the Admin SSL options from the database.
BCG
I tried deleting the plugin, but the site kept getting redirected the URL I had set in the SSL Admin configuration.
I figured I had some sort of database problem so I tried to restore from backup. That didn’t go very well.
Maybe it was a WordPress corruption problem, since it didn’t detect the plugin had been deleted, and deactivate it.
To make a long story short, I am in the process of rebuilding the site from scratch.
I should have known better than to test this out one of my live sites rather than a test site.
@Amapola
That is very strange, if you deleted the plugin, but the redirection was still happening?! Did you delete all references in the WP database to the Shared SSL URL?
BCG
So Far so good. Installed v1.3.2 on a new installation of WordPress 2.7 and it seems to work fine. All I was looking for was a redirect to HTTPS for logging in to WP-Admin and it works like a charm. Thanks for the great plugin!!!
When you enable the plugin with the gallery feature the gallery stops working. Seems like a bug just wanted to let you know.
Thanks – I’ll look into it.
Hi,
After enabling your plugin the slideshow feature of the nextgen gallery plugin stopped working. If I deactivate your plug-in the slideshow works again. I think there might be a bug somewhere.
Just to let you know…
happy new year
Just some additional info for you:
I think the problem is related with what Shane Hartman’s post mentioned… only I’m using the most recent version of nextgen gallery: and the file being causing problem is located in wp-content/plugins/nextgen-gallery/xml/imagerotator.php.
Hope it helps…
Is there a tag for 1.3.4 in SVN? If not, could you please add?
Thanks
@Jason:
I’ve committed a 1.3.5 and added a tag – can’t believe I forgot for 1.3.4!
@bcg: Sweet, thanks
Missed a bit on the tag location
I think I should have had some coffee when I got up this morning…
I am having trouble with mixed content errors on my secured pages because of the following 2 plugins:
Nextgen Gallery and Cforms. I’ve replaced Cforms for now, but would like to get Nextgen working. The Nextgen css file url in the header is the culprit. It is the only url (other than 2 Cforms urls) that isn’t referenced as https.
@NZ: I’ll try and look into it over the next few days. Cheers.
Thanks!
Forgive me if I’m being dense; I think this was covered in earlier in the thread, but I just want to be sure.
I’m using WordPress MU 2.7 (beta) and Admin-SSL 1.3.5. I’m running my WordPress MU install in directory mode (e.g. wordpress.foo.edu/bar) rather than subdomain mode (e.g. bar.wordpress.foo.edu). With Admin-SSL installed, the redirects work perfectly for the top-level, mother blog (the admin blog at wordpress.foo.edu) but all lower-level, daughter blogs (wordpress.foo.edu/bar/wp-admin/) throw 404 errors when I try and access them.
Everything redirects to https correctly, it’s just that the page won’t load. Based on your initial post and the comment thread, I’m guessing this relates to your comment that “Admin SSL has ‘erratic’ behaviour when WordPress is not installed in the same directory as the WordPress URL.” because of the WordPress rewrite voodoo.
So things are fine as long as you’re in the base directory for the mother blog, but once you get into a subdirectory for one of the daughter blogs, things fail because of the redirect issues?
Or should things work for the daughter blogs as well, and I should be hunting elsewhere for the solution to my 404 woes?
I figured out my issue. It turns out that the SSL-protected pages would not load because the ssl.conf information for that virtual host had “AllowOverride None” instead of “AllowOverride FileInfo Options”. Once I tweaked the setting and rebooted apache, htaccess was able to do its things, pages were redirected correctly and Admin-SSL worked like a dream.
@Ken – Great news. I’m having trouble getting time to troubleshoot some of the stuff people are posting on here, so I’m gladd you’ve sorted it.
Hi
When I try to use Admin SSL with WP 2.7 I get a funny redirect to my login page.
I use the a shared setup where I’ve made the alias “/wp”. When enabling shared ssl and type in this: “https://pregel.dk/wp/wp-admin”
the link is messed up and becomes: “https://pregel.dk/wp/wp/wp/wp-admin” which of course doesn’t work.
/T
@Thomas
Are you using the WordPress home in a different directory to the URL feature? It may be that that is the problem – if not it sounds like something else is going on.
BCG
I’m not sure if I understand you correctly but yes, I’ve got wordpress in one directory and my ssl virtual host is in an other directory. I’ve tried both making an alias on my ssl virtual host and copied the wp-admin directory directly under the ssl directory.
/T
@Thomas
Perhaps you could enable debug mode and email the debug log (instructions can be found on the site).
bcg
Dear Sir,
I tried to use your plugin with shared ssl certificate, however unfortunately I get the infinite loop problem before being able to access the login page.
The path to wp-admin should be definitely correct, however the HTTPS detection fields are HTTPS and ON which sounds me wrong. I have no idea how to set them though!
You can have a look at my debug.log here EDITED
Thank you very much for your support!
@alde
I’ll email you…
I’ve run into an intermittent problem with xmlrpc and Admin SSL.
Blog runs fine w/o SSL. Also runs fine w/Admin SSL. I’ve added “xmlrpc.php” to the list of secured files, though, and that’s where I have a problem.
With “xmlrpc.php” secured, my blog sometimes ships out malformed XML responses to blog editors when they are trying to retrieve a list of posts. I’ve notice, for example, a missing tag.
This does not happen all the time. For example, on one blog I can get a refresh of the list from the blog editor to succeed if I limit it to 1 item, but it fails (with the missing tag above) when I include the 3rd item. When I disable Admin SSL the blog editor gets good data from my server.
Any ideas on how Admin SSL might be interacting so oddly with xmlrpc? Any suggestions on how to debug this problem?
I think I found the xmlrpc problem.
It turns out that Admin SSL assumes that it should rewrite self-referencing http URLs in the outbound buffer so that they point to https. Normally this is a good idea (avoids many warnings from the browser). But it is a bad idea when the outbound buffer is an XML file which WordPress already assumes to be of a given length. Essentially, the rewritten buffer was too long and some tags (including the closing tag) were getting cut off.
My suggestion: explicitly exempt xmlrpc.php from the substitution. I’ve done this rather crudely, I’m sure you may have a prettier way of accomplishing the same thing. Here’s the patch that worked for me:
In https.php replace…
$buffer = str_replace($replace_this,$with_this,$buffer);
with…
if(strpos(req_uri(),”xmlrpc.php”) === false) { $buffer = str_replace($replace_this,$with_this,$buffer); }
Presto, my blog editor can now parse the XML being returned by xmlrpc.php.
By the way, this also explains why the problem did not always occur. Some of the blogs didn’t have any images in the posts. No images meant no local URL references. No such references meant no substitutions. No substitutions meant no changes in response length. Everything worked in those cases.
@Eric
Your way may be ‘rather crude’, but I think it might be the simplest way! I’ll look into it, and release a new version. Thanks for bringing it to my attention, I didn’t know anything about xmlrpc.php.
Cheers
bcg
Hi
Just failed to set up Admin SSL on my site running WordPress 2.7.1
I have to run my site on non-standard port (8079) since my provider firewalls incoming connections on port 80.
So my blog URL constains port number – http://yoush.homelinux.org:8079/
My web server is set up to serve SSL connections on port 443, it works outside of wordpress area.
I tried to set up SSL Admin.
First, I selected ‘private ssl’, but that resulted in attempts to access https://yoush.homelinux.org:8079/, which obviously failed.
Then I selected shared ssl and entered URL https://yoush.homelinux.org/wp-admin/
It looked ok. However, then I reloaded my blog’s main page, and it contained admin link still http://, not https://. Logout link was https://, but it did not work: if I clicked on the link, it resulted in an error message with “try again” link pointing to the site’s main page.
Had to disable Admin SSL for now.
Could you please help?
Where do the settings show up in 2.7.1? I can’t seem to find the Admin-SSL config page anywhere. I have it installed and activated. Any help would greatly be appreciated. Thanks for the great plug-in!
@Richard
You can get there either by clicking the ‘Settings’ link in the main Plugins page. Depending on your own setting, it will be under the Plugins menu, or the Settings menu (the default is the Plugins menu).
@Nikita
Can you follow the instructions on the FAQ to enable debug mode and email me the debug log, please?
bcg
Those WP “menus” can be hard to find in 2.7.
After you click on “Plugins” you should see “Admin SSL”.
You can choose to move “Admin SSL” to the “Settings” menu, though. If you do, then click on “Settings” and you will see it.
You can “twist” the little arrows on the right of the section names (“Plugins” or “Settings”) to try to keep them displaying all the time, but this does not always work, in my experience.
@bcg
It does not appear in either of those menus. Does that mean something did not get installed properly?
@Richard
Is it enabled on the plugins page? The plugin must be activated once it is uploaded – once it is activated, the Admin SSL settings link should appear.
@bcg
Yep it is enabled and everything… I have used this plugin with older installations and it worked fine, but for some reason it is just not working in 2.7.1
@Richard
This is very strange, as I am using 2.7.1 myself – are you using the latest version (i.e. 1.4 or above)?
@bcg
yep, i am using the latest version. i have been having an issue with folder permissions, i.e. not being writable, could this be causing a problem?
would you like me to email you instead of clogging up your blog?
it happened to me too. Richard, you have to reset the plugin by typing in the url to the reset php file in the plugin folder.
The problem arises when you choose to show the plugin settings in the Settings menu (if you opt for the Plugins menu everything works as expected).
A few times I also managed to make the plugin page show by reducing wordpress side menu (clicking on the two arrows) and then again clicking NEAR the two arrows just a few millimeters on the right of them. Passing over the mouse you probably should see a glitch indicating the ‘hidden’ menu. Anyway if you reset the plugin everything will be restored.
Cheers
@alde & @Richard
Switching between the Plugins and Settings menu works absolutely fine for me – It would be good track this bug down, if you could email me any further info?
Hi Ben,
I installed the plugin today, and since I did, when I click the log out link I get a message saying:
“You are attempting to log out of channeltom.com | blog
Please try again.”
Is this something you’ve seen or can fix?
Many thanks,
Tom
PS – other than this I love the plugin!
@Tom
No it isn’t – can you do the debug log thing (FAQ page) and email it to me? Make sure you do a log off with the log enabled, so I can get a better idea of what’s happening.
Cheers
bcg
I periodically end up in an infinite redirect loop using shared ssl where I am bounced between /wp-login.php on my secure site and my regular site.
I can get Admin SSL working again by renaming the admin-ssl-secure-admin plugin directory (thereby disabling it), logging into WordPress, renaming the admin-ssl-secure-admin directory back, and reactivating the plugin. After doing that I can logoff and on with no problems for some time (a day or two) before the problem comes back.
Any ideas?
WordPress v2.7.1
Admin SSL v1.4.1
@Mike
It would be really helpful if when this happens you could enable the debug mode and send me a debug log – it is impossible for me to track down these redirect bugs without that log file.
Thanks!
bcg
hi, thanks for the great plugin you wrote, but since wp 2.7.1 visitors cant comment on the blog.
Im gonna keep an eye on this for the next couple of days, but I disabled all plugins and then enable one by one, and everythings ok with out admin-ssl.
So, talk you back in two days to confirm.
@Maski
Thanks – let me know what you discover, if I get some time I’ll look into it myself as well. Obviously people can comment on my blog ok, and I use Admin SSL!
bcg
Yeah I now it sounds ackward, but maybe its one of those bugs that arise when two different plugins interact.
In my case I had no comments in the whole weekend, right now im testing in two different blogs, if I found anything ill post.
Everything seems to be working fine. Only if I go from Dashboard to Users i get the followin message:
Secure Connection Failed
http://www.shimshon9.com uses an invalid security certificate.
The certificate is only valid for *.ipower.com
(Error code: ssl_error_bad_cert_domain)
* This could be a problem with the server’s configuration, or it could be someone trying to impersonate the server.
* If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Any ideas why this is happening?
I’m having the same problems as Mike…
Shared SSL setup resulting in a redirect loop error:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
My host tells me this is a problem with the plugin (probably a standard answer of theres).
Any ideas?
Pat
@Pat
What are your cookie settings like? If you could send me a debug log, that would be helpful – I use Admin SSL 1.4+ on both Private and Shared SSL setups, with WP 2.7.1, and don’t have any problems.
@Shimshon
Are you using Shared SSL setup? It sounds like you haven’t quite entered your settings correctly, and Firefox is complaining!
bcg
Hi bcg,
first let me thank you for this great plugin. I have the same problems as mike and pat.
Using WP 2.7.1 and AdminSSL 1.4.1 with shared SSL – ending in a redirect loop.
Did you need my debug log for diagnostics too? If so I will email it to you.
Thanks in advance,
Jens
@Jens
Thanks for the log – there is obviously a problem somewhere, but I think tracking it down is going to be tricky, given that it isn’t happening 100% of the time. I’ll get my thinking cap on!
Cheers
bcg
Hi bcg,
think, I found the solution to fix the fatal error caused by admin-ssl-test
Alter line 197 inside admin-ssl-test.php to:
require_once(“admin-ssl.php”);
Naturally this will only fix the test, not the loop…
Cheers,
Jens
Hey there,
this plugin is working great for me except that the login redirect is taking me back to http:// rather than https:// in the backend.
This is the redierct url https://www.fairgrounds.org.uk/wp-login.php?redirect_to=http%3A%2F%2Fwww.fairgrounds.org.uk%2Fwp-admin%2F
I added wp-admin/ to the secure list, but this makes no change, should I send you a log?
Thanks
Nathaniel
edit:
I should say that if i put the ‘s’ in the url in the backend, all seems to ork as it should
@Nathaniel
I’m not sure what you mean – do you mean the ‘s’ in ‘https’?
bcg
I’ll try to make it clearer;
when I first go to login to my admin:
http://www.fairgrounds.org.uk/wp-admin
the url is then automatically changed to:
https://www.fairgrounds.org.uk/wp-login.php?redirect_to=http%3A%2F%2Fwww.fairgrounds.org.uk%2Fwp-admin%2F
I enter my details and I am then taken to:
http://www.fairgrounds.org.uk/wp-admin/
I was assuming that the redirect should take me to:
https://www.fairgrounds.org.uk/wp-admin/
If I then log out I get:
https://www.fairgrounds.org.uk/wp-login.php?loggedout=true
an then log in with my details, I get:
https://www.fairgrounds.org.uk/wp-admin/
which is the correct ‘https’ prefix I should be expecting
I hope that makes sense,
Nathaniel
Hi there
I’ve got it Admin SSL working ok, except that I’m stymied by “Security Warnings” in both Firefox and IE on the page I want secured (Order page)
I’ve tried a test page at https://www.FlexiScreens.com/contact/test with almost zero content, but Error Warnings persist. I’ve also deactivated all plugins 1 by 1, no luck.
Any thoughts on what to try next, because I cannot ‘see’ WHAT the non-secure content is!
Hi Ben,
I think I found it:
Have a look at your quantcast stuff you implemented it via http:// (js and img).
The rest seems to be ok from my point of view.
/Jens
Hi all
Sorry I’m really busy atm with work – thanks Jens for looking into this for me! Nathaniel, can you send me a debug log for when you initially log in please? Obviously the first redirect is not working for some reason.
bcg
Hi Jens
Ok, will do that. My tech guy says pretty much every page/image reference needs to be HTTPS to eliminate the Security Warnings – and there is a problem with the Theme we are using which does not allow for relative URL’s – the menu’s are ALL forced to HTTP etc.
He says that this is the problem needing some work;
Anyway, will report on what happens next – success/failure etc.
@Ben
You could try using the ‘additional URLs’ feature of Admin SSL to secure some of these links? I usually use that feature only for admin stuff, but it should work site-side as well, particularly if you have private SSL.
bcg
Hi BCG
Yeah, tried that, but it then applies the HTTPS links to all pages!!! E.g. if I add the RSS ‘feed’ page to “Additional URLs” then the RSS feed is chnaged to HTTPS on ALL pages! That’s not optimal…
Cheers
Ben
Hi there
Well, Jens was partly right – changing Quantcast URL’s to HTTPS was part of it, but we also had to change the Google Analytics URL to HTTPS to resolve the problem of Security Warnings.
Thanks
Your plug-in seems to work great! I only have one minor concern. It seems that since installing your AdminSSL plug-in, that every image I upload includes a https URL. I have checked and can verify that the “/uploads” directory is not in the “URL LIST” section.
This happens each time I upload a picture with a blog posting i create.
Also, there seems to be an issue when the option “you must be logged in to post” is selected, when your AdminSSL plug-in is enabled.
There is no problem logging in, the issue comes when you try to log out. You get a message stating that you are attempting to log out with a link to try again!
@bamajr
Do you have the wp-admin/ folder in the additional URLs list?
bcg
Is there a way to force a wp menu use https
without adding all the pages to the secure urls options box?
Seems like Admin SSL can secure about 97% of the urls in the header but 100% have to be secured or the certificate fails and the lock icon shows up as broken.
The archives links in the header cannot be secured by Admin SSL so I added all of them up to 2011 because I don’t mind those being https.Is it harmful to just remove those from a wp header?
The wordpress shopping cart adds stuff to the header like a var base url that can’t be secured by this plugin either.
I had this working 100% and then I changed permalinks and now it isn’t 100% anymore.
Hi, I want to use the plugin with wordpress mu (2.7), but I get an error saying “Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.”. Am I doing somehting wrong?
I think this might have to do with that I’m running httpd on RHEL (Red Hat Enterprise Linux). It seems to work fine on a debian install. When I turn on debugging it has a lot of ### ADMIN SSL BEGINS ### for ONE page reload! It seems not to understand that it already is https we’re talking..
@Bjørge
It may well be the SSL detection that’s playing up – have you got the right variables on the Admin SSL options page?
I had an error in my configuration resulting in $_SERVER["HTTPS"] not beeing set to “on”. Fixed now.
Another issue:
“Please note that installiation of Admin SSL on WPMU is only possible for Site Administrators”
What do you mean by this?
Can I not secure all admin sites on all blogs?
Regards
Bjørge
@Bjørge
It means that the Admin SSL options will only be available to users with admin rights. It will by default secure the admin pages of all users – but only administrators can edit Admin SSL options (e.g. turn SSL off).
bcg
@bcg
My problem is exactly that; I get ssl on b.uib.no/wp-admin, but not on anythingelse.b.uib.no/wp-admin. I noticed when I turned on logging that this appears in the log file:
Is WPMU: No
Could there have been changes in WPMU 2.7 that makes the variable global $plugins_dir be plugins, not mu_plugins?
Also, the Admin SSL setup configurator appears in the b.uib.no blog, not in the “Site Admin” bar.
Bjørge
I talked to donncha (maintainer of wpmu) and the way you check if you are in a wpmu-install is not the recommended one:
in function is_wpmu you should check for the presence of either function is_site_admin or the variable $wpmu_version
Bjørge
Sorry. It works, I played with a symlink in mu-plugins instead of copying the file. This altered $dir to admin-ssl (should be mu-plugins).
Hi – I’m having trouble.
I secured my checkout page but get the following error:
Forbidden
You don’t have permission to access /index.php on this server.
Apache/2 Server at web103.secure-secure.co.uk Port 443
This is the URL:
https://web103.secure-secure.co.uk/turnkeytelecom.com/products-page/checkout
Have tried it with and without a trailing URL.
@Hampstead
It sounds like there is a problem with your hosting company setup – have you contacted them to ask if they have any ideas?
bcg
Hi bcg,
on March 3rd I was detecting an error in my working enviroment – Using WP 2.7.1 and AdminSSL 1.4.1 with shared SSL – ending in a redirect loop…
Was my logfile helpful and did you get any news by now?
Thanks for the update,
Jens
@Jens
I haven’t had a moment to do any work on Admin SSL for a while now – I’ll try and do some this week maybe, and get back to you. Sorry about that!
bcg
I’m running mu 2.7.1 and private SSL with a self-signed cert during testing. The download is the latest from wp.com.
It is working perfectly with the exception of new blog activations. When I click the activation link in the email, I end up getting sent back to the site home page and the blog never gets activated or created in the database.
I went ahead and activated the debug log. It’s empty.
Any ideas?
@Scott
Can you send me a copy of the two activation emails please, one with Admin SSL enabled, the other with it disabled?
Cheers
bcg
Further to this issue – I found that the activation link works just fine if I disable admin-ssl first. The activation link looks something like – http://newblog.mysite.com/wp-activate.php?key=12345678
I also found that it would work just fine with admin-ssl enabled if I removed the subdomain from the url and directed it right at the main site – http://mysite.com/wp-activate.php?key=12345678
Thanks!
i’ve posted my problem at here : http://wordpress.org/support/topic/265920 ..so please give solutions. thank you so much.
I set up Admin SSL then went to change the options on my theme, Atahualpa, and all I got was a blank white page. Any help?
Thanks,
Kurt
@ Kurt
Hi I have Admin SSL installed with Atahualpa theme on a client’s site and the Atahualpa theme options page does work OK so your problem is specific to your site, not a general conflict between the two.
Hi,
I’m using 1.4.1 with shared SSL and was getting endless redirect loop.
My webhost is 1&1 and when using shared ssl, the blog url becomes https://ssl.perfora.net/myblog.com/. The check “host() !== $url["host"])” on line 186 of https.php was always failing because host() is myblog.com and $url["host"] is ssl.perfora.net. So, I commented out that check to break the redirect loop.
-V
This might help other folks trying to use admin-ssl with 1and1 using shared ssl.
Secure my site with SSL [check]
Shared SSL [check]
Shared SSL URL [https://ssl.perfora.net/myblog.com/wp-admin]
HTTPS Detection
HTTPS $_SERVER variable name [HTTP_X_FORWARDED_SERVER]
HTTPS $_SERVER variable value [ssl.perfora.net]
All options need to be entered without [ ]
@VC: Thanks for your work and for posting your solution!
I can say it works for me to
For the hoster all-inkl you only have to alter
HTTPS $_SERVER variable value to [ssl-account.com]
By now it works like a charme and I want to say thanks again for this great plugin and this solution!
Cheers,
Jens
I am using this on a WP install for a client. Whoever originally installed wordpress didnn’t install WP in the root directory, but rather the directory /wp. but WP publishes to the Root. So if I want to go to the admin I type domain.com/wp/wp-admin. If I want to visit the site I type domain.com.
When I turn on admin SSL it forces a redirect of domain.com -> domain.com/wp/ which produces a 404. It also does a weird rewrite of the URLs in additional URLs. if my URL is domain.com/additional-URL/ it rewrites the URL domain.com/wpditional-URL Notice how it truncates part of the address as it places in the WP.
My question is there any way to get the plugin to ingnore the /wp/ for page level enforcement? I really don’t want to move the WP install as there would be lots of referential issues I would have to untie.
Thanks for the help
Hi, I want to use the WordPress MU Domain Mapping plugin for WPMU. It is made by the lead developer of WPMU. http://ocaoimh.ie/wordpress-mu-domain-mapping/
My problem is that I use Admin SSL too, and the combination of these two fails miserably (redirect loop). Has anyone else had any success in using these together? Using them one at a time is no problem.
I use WPMU 2.7.1.
Hope you have some ideas!
Regards
Bjørge
Same for me. For that reason and for the problem I posted previously about, I ended up using the force SSL Login setting in wp-config.
Hello!
I just installed Admin SSL
I am running WP 2.7.1, latest downloadable Admin SSL with private SSL.
I just can’t seem to get it working :3 whenever I login with https, it says I have an infinite loop. Normal still working fine, plugin enable and I can still browse all areas, just not in SSL (https).
I tried disabling all addon but no dice. I’ve also tried to temporarily disable mod_rewrite, no dice. I’ve also google and people tell me to do silly things such as open and saving options-permalinks.php and yet still no dice.
I’ve read quite a few pages here and no help
? Any help could be appreciated.
Any ideas what could be wrong
I could email you a debug log if that helps.
Thanks again
@Maiev
Have you checked the HTTPS detection server variable key/value pair?
bcg
Hay bcg,
I took some time to examine what you said + previous post
got my answer XD
A.W.S.
8 August 2008 at 11:17pm
Thanks for a great plug-in. I hope this gets rolled into the core WordPress distribution. Especially considering how many people update their blogs on coffee shop wi-fi and other untrusted networks.
I would like to point out that version 1.1 of the plug-in does not work with Apache 1.3 out of the gate. This is probably the issue that @TFB ran into. Basically, Apache 1.3 (which a lot of hosting companies use) doesn’t have the HTTPS variable available. (Look under “specials” in the mod_rewrite 1.3 documentation (http://tinyurl.com/fgsge) and the 2.0 documentation (http://tinyurl.com/kawns) for confirmation.)
Assuming that the hosting provider runs HTTPS over port 443, a fix for this in the Admin-SSL plugin under “Other Settings” -> “HTTPS Detection” is to set:
“The name of the HTTPS $_SERVER variable” = “SERVER_PORT”
(without the quotes),
and:
“The value of the HTTPS $_SERVER variable when HTTPS is ON” to:
“443? (again, without quotes)
I set my HTTPS $SERVER variable as Server Port, then the port being the “actual” port of the SSL, being some weird numbers and got it working
ur plugin rocks! thanks again and sorry to bother u
now just gotta find the donate button XD
Hi, I found a bug in this plugin.
I reported the bug with a patch on WordPress forum:
http://wordpress.org/support/topic/267385
Please look.
@RedGecko
Thanks I’ll look at adding this to the source.
bcg
I have admin-ssl installed. It seems that it’s not possible to open any blogpost via https, but only via http. Is this a know issue of admin-ssl?
Can’t admin-ssl just ignore the url if it’s already secure?
I run into this problem because I also use a Twitter plugin. When I mark a post to be send to Twitter, it automatically created a bit.ly shortcut to the https-url of the blogpost because I’m logged in and working via https.
Hi again,
I found that wpmu-plugin domain mapping adds two actions:
add_action( ‘pre_option_siteurl’, ‘domain_mapping_siteurl’ );
add_action( ‘pre_option_home’, ‘domain_mapping_siteurl’ );
Admin SSL does not add these actions, but some others and some filters.
What I am wondering is how Admin SSL does the redirect to ssl, can you point me to the correct place in the source please?
Domain mapping does it pretty simple, it rewrites it like this:
$protocol . $domain . $current_blog->path
where protocol is https:// or http://
It seems that Admin SSL and Domain mapping is doing redirects that “compete”. Example: I have b.uib.no wpmu install, and test.b.uib.no wants to be mapped to test.com using Domain mapping plugin. I don’t know which one does the first redirect, but it seems this is what happens:
..
AS redirects to https://test.b.uib.no/wp-admin
DM redirects to https://test.com/wp-admin
AS redirects to https://test.b.uib.no/wp-admin
DM redirects to https://test.com/wp-admin
etc.
I have the same exact issue as Jeremiah… any resolution to this?
Jeremiah
4 May 2009 at 10:37pm
I am using this on a WP install for a client. Whoever originally installed wordpress didnn’t install WP in the root directory, but rather the directory /wp. but WP publishes to the Root. So if I want to go to the admin I type domain.com/wp/wp-admin. If I want to visit the site I type domain.com.
When I turn on admin SSL it forces a redirect of domain.com -> domain.com/wp/ which produces a 404. It also does a weird rewrite of the URLs in additional URLs. if my URL is domain.com/additional-URL/ it rewrites the URL domain.com/wpditional-URL Notice how it truncates part of the address as it places in the WP.
My question is there any way to get the plugin to ingnore the /wp/ for page level enforcement? I really don’t want to move the WP install as there would be lots of referential issues I would have to untie.
Thanks for the help
“Admin SSL has ‘erratic’ behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
The login page (and other admin pages) can be secured, but nothing on the site side.”
so this is to say then that since my site is setup with a static front page at annamayer.com and that the loop is at annamayer.com/news and my blog is installed at annamayer.com/ibablog that it will not work. correct?
@Brian
Yeah – on the FAQ you’ll see that this is known, but there’s nothing I can do about it, I’ve worked long and hard to try and fix it, but I haven’t managed it so far.
bcg
I installed admin-ssl on my server at http://www.waterswebshops.com yesterday and it worked fine.
Today, we upgraded to PHP 5.2.9 (from PHP 4.4.9) and now I’m getting this error when I turn admin ssl on:
Warning: Cannot modify header information – headers already sent by (output started at /home/watescom/public_html/wp-admin/admin-header.php:17) in /home/watescom/public_html/wp-content/plugins/admin-ssl-secure-admin/admin-ssl.php on line 125
(I turned admin ssl off in the first place because, after upgrading, I was getting an endless redirection and ended up completed uninstalling the plugin (including removing the settings from the database via phpmyadmin.
Can you help figure out how to make the plugin work?
Thank you!
I’m having problems with this plugin and WP2.8, I cannot access the admin page in any way (well, deinstaling the plugin).
And I’ve seen on http://plugincheck.bravenewcode.com/ that your plugin is not working on 2.8 because of some harcoded text, just as an info.
If you need, I’ve a debug file.
Any idea?
Thanks in advance
@JBrinx
Thanks, I’ll look into it – not had much time recently to do any coding at all, sorry folks!
bcg
I can confirm that Admin SSL becomes non-functional in WP 2.8.
I had to turn off the plug-in. each time I would add an image link to a URL on my own server, something there would “fix” the links to HTTPS in the POST action, and since my SSL cert is not signed, nobody could see the images.
Yes, I could shorten the links to relative ones and do a lot of other tricks I suppose, but this is just too weird and too much of a hassle. I’m happy with the fact the admin interface (and with it the entire blog) is available via the https, but I’m doing away with the automatic redirection, it’s just too much of a hassle.
Hey Guys!
I am using both the Admin-SSL and CFormsII plug-ins on a site I’m building. Both plug-ins work great separately, but when I try to add the SSL to a page that uses a form, the form will no longer submit. Somehow when the page is directed to use https the form acts like it submits, but it doesn’t
Any help would be greatly appreciated!
Thanks!
~SarahB
Hi guys
I am aware that Admin SSL has stopped working in WordPress 2.8, I will hopefully have some time over the weekend to look into it and get it working again.
Cheers
bcg
Hi guys
I’ve made a couple of updates to the code, and released 1.5-b1 – it’s installed on my blog and seems to be working fine for me, please could you confirm whether or not it’s working for you, and if not email me a debug file?
Cheers
bcg
Uploaded it into plugins folder, but once I activate it, just goes round in a page redirection loop. Don’t get a chance to set it up for shared SSL.
Thanks
Rob
Hi Ben,
Where can I find the download link for the 1.5-b1 release? I hope I’m not missing something right in front of me
Thanks!
~SarahB
I have found a problem when using Admin SSL. I cannot upload files using the flash uploader. Other problems do not exist, and they are all fine. Thank You
@Robz
Please try one of the reset methods, and do the setup again.
@SarahB
I’ll add a download link – thanks for letting me know, it’ll be the ‘development version’ above.
@JCNetworks
Thanks for letting me know, I’ll look into it.
bcg
Still having the same redirect problem (reseting the config by all the ways). I’ve a debug file, if needed.
Greets,
Jbrinx
I’ve tried first three reset options. Managed to re-install and set up with shared server details, but then I can’t log out of WordPress. It keeps telling me to try again. If I delete browser cache, cookies and try to log in again, I just get endless redirections.
Robert
Reset using first three options. Re-installed and entered shared SSL details and all seemed fine, but then could not log out of WordPress. Cleared cache, cookies etc, but then when tried to log in again, just got redirected again.
Robert
Hello again Ben,
I have installed the “development version” of your plug-in and I’m still having the same troubles that I mentioned above. Did the new version have any patches for working with CFormsII? Sorry for bugging you with this, I’ve just ran out of ideas. Please let me know if you have any suggestions, I would greatly appreciate it!
Thanks!
~SarahB
It just goes round and round in a loop for me too.
I get the same problem as robz.
Once I hit activate I have to login again and I get the redirection loop without entering anything.
Then when I delete all the cookies I can enter the setup and activate it and enter my information. But after I entered it (correctly numerous times) I cant login anymore. Its really frustrating :/
After updating to WordPress 2.8 and the 1.5-b1 version of admin-ssl, I started seeing endless redirects when I tried to log in. admin-ssl would redirect to admin-ssl-cookie.php, but that would in turn redirect back to wp-login.php, which would just send the browser back to admin-ssl-cookie.php. The only additional configuration setting I made (and this had been done back in the WP 2.7/Admin-SSL 1.4 timeframe where it was working just fine) was to also protect wp-admin/.
The only way I found to get it to work was to modify includes/cookies.php and remove the “&& redirect_to() !== “wp-admin/”" condition such that admin-ssl-cookie.php is given a redirect to wp-admin instead of wp-login.php. I don’t know why it stopped working in 2.8 and required this change, so if you have any insights, I’d greatly appreciate it.
I have the same problem as Robz. Activating the plugin leads to a redirect loop. Rest methods 2-4 didn’t solve the problem. I have WordPress 2.8 with Admin SLL 1.5-b1. The plugin worked fine with former WordPress versions.
So BrianB you solved that redirection removing those parts? Could you specify a little bit more?
Thanks,
JBrinx
Any ETA on a 2.8 compatible update? Thanks for your hard work!
You say version 1.51b works with wordpress 2.8, but there is no link to download it here anywhere, and nowhere on the WP repository to get any version beyond 1.41. Even in “other versions” it shows past versions, but nothing beyond 1.41.
Where can we get this?
With the plugin activated, every time I access a https address it automatically forwards to http. Any ideas? I’m using wordpress 2.7
Hello,
I installed your plugin yesterday in wordpress 2.7.1 and it seemed to work okay. I went to login this morning and got put in an infinite loop. I tried all your reset options via your faq page nothing worked so I deleted the plugin.
However it’s still forcing my wp-admin into https and if I try to go to it via http I get stuck in the infinite loop…how do I fix this…please help.
Hello, can you force just one specific page to go secure, or is it only by classification, such as pages, posts, etc.?
Dear all – I’m going to close this page for comments while I work on support for WordPress 2.8, I keep hoping I’ll have a day to do it, hopefully I’ll have some time in the next few days.
bcg
Dear all – my hosting company in their wisdom have decided to remove Shared SSL from the hosting plan – meaning I can no longer test that feature of Admin SSL. I have no idea how to test it now – if you have any ideas, please post them here, or email them to me. If you would be willing to do some testing for me, then please let me know – we would have to be on Skype or MSN at the same time for that to work, with me updating files and you testing them on your server.
bcg