Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 2.0, supports WordPress 3.0+. Please note that if you upgrade from a previous version, SSL support will be disabled after the upgrade. This is due to the large coding changes required to support WordPress 3.0+.
Please also note that support for Shared SSL has been removed – if you follow this plugin you will know my hosting provider removed it so I can no longer test it. So in order to make the plugin work with 3.0+ I have had to remove Shared SSL support.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Forces SSL on all pages where passwords can be entered.
- Works with Private SSL only.
- Custom additional URLS (e.g. wp-admin/) can be secured through the config page.
- You can choose where you want the Admin SSL config page to appear!
- Works on WordPress 3.0 – 3.1.1; for previous versions of WordPress please use version 1.4.1, but note it is no longer supported – you should upgrade to the latest WordPress version.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
2.0 – The latest stable version, with all the above features.
1.4.1 – The previous stable version, works with WordPress up to 2.9 and supports Shared SSL. (NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.)
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
I offer as much support as I can, but this is an activity I do in my spare time, so please be patient!
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
- The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmxi
Is there a tag for 1.3.4 in SVN? If not, could you please add?
Thanks
@Jason:
I’ve committed a 1.3.5 and added a tag – can’t believe I forgot for 1.3.4!
@bcg: Sweet, thanks
Missed a bit on the tag location
I think I should have had some coffee when I got up this morning…
I am having trouble with mixed content errors on my secured pages because of the following 2 plugins:
Nextgen Gallery and Cforms. I’ve replaced Cforms for now, but would like to get Nextgen working. The Nextgen css file url in the header is the culprit. It is the only url (other than 2 Cforms urls) that isn’t referenced as https.
@NZ: I’ll try and look into it over the next few days. Cheers.
Thanks!
Forgive me if I’m being dense; I think this was covered in earlier in the thread, but I just want to be sure.
I’m using WordPress MU 2.7 (beta) and Admin-SSL 1.3.5. I’m running my WordPress MU install in directory mode (e.g. wordpress.foo.edu/bar) rather than subdomain mode (e.g. bar.wordpress.foo.edu). With Admin-SSL installed, the redirects work perfectly for the top-level, mother blog (the admin blog at wordpress.foo.edu) but all lower-level, daughter blogs (wordpress.foo.edu/bar/wp-admin/) throw 404 errors when I try and access them.
Everything redirects to https correctly, it’s just that the page won’t load. Based on your initial post and the comment thread, I’m guessing this relates to your comment that “Admin SSL has ‘erratic’ behaviour when WordPress is not installed in the same directory as the WordPress URL.” because of the WordPress rewrite voodoo.
So things are fine as long as you’re in the base directory for the mother blog, but once you get into a subdirectory for one of the daughter blogs, things fail because of the redirect issues?
Or should things work for the daughter blogs as well, and I should be hunting elsewhere for the solution to my 404 woes?
I figured out my issue. It turns out that the SSL-protected pages would not load because the ssl.conf information for that virtual host had “AllowOverride None” instead of “AllowOverride FileInfo Options”. Once I tweaked the setting and rebooted apache, htaccess was able to do its things, pages were redirected correctly and Admin-SSL worked like a dream.
@Ken – Great news. I’m having trouble getting time to troubleshoot some of the stuff people are posting on here, so I’m gladd you’ve sorted it.
Hi
When I try to use Admin SSL with WP 2.7 I get a funny redirect to my login page.
I use the a shared setup where I’ve made the alias “/wp”. When enabling shared ssl and type in this: “https://pregel.dk/wp/wp-admin”
the link is messed up and becomes: “https://pregel.dk/wp/wp/wp/wp-admin” which of course doesn’t work.
/T
@Thomas
Are you using the WordPress home in a different directory to the URL feature? It may be that that is the problem – if not it sounds like something else is going on.
BCG
I’m not sure if I understand you correctly but yes, I’ve got wordpress in one directory and my ssl virtual host is in an other directory. I’ve tried both making an alias on my ssl virtual host and copied the wp-admin directory directly under the ssl directory.
/T
@Thomas
Perhaps you could enable debug mode and email the debug log (instructions can be found on the site).
bcg
Dear Sir,
I tried to use your plugin with shared ssl certificate, however unfortunately I get the infinite loop problem before being able to access the login page.
The path to wp-admin should be definitely correct, however the HTTPS detection fields are HTTPS and ON which sounds me wrong. I have no idea how to set them though!
You can have a look at my debug.log here EDITED
Thank you very much for your support!
@alde
I’ll email you…
I’ve run into an intermittent problem with xmlrpc and Admin SSL.
Blog runs fine w/o SSL. Also runs fine w/Admin SSL. I’ve added “xmlrpc.php” to the list of secured files, though, and that’s where I have a problem.
With “xmlrpc.php” secured, my blog sometimes ships out malformed XML responses to blog editors when they are trying to retrieve a list of posts. I’ve notice, for example, a missing tag.
This does not happen all the time. For example, on one blog I can get a refresh of the list from the blog editor to succeed if I limit it to 1 item, but it fails (with the missing tag above) when I include the 3rd item. When I disable Admin SSL the blog editor gets good data from my server.
Any ideas on how Admin SSL might be interacting so oddly with xmlrpc? Any suggestions on how to debug this problem?
I think I found the xmlrpc problem.
It turns out that Admin SSL assumes that it should rewrite self-referencing http URLs in the outbound buffer so that they point to https. Normally this is a good idea (avoids many warnings from the browser). But it is a bad idea when the outbound buffer is an XML file which WordPress already assumes to be of a given length. Essentially, the rewritten buffer was too long and some tags (including the closing tag) were getting cut off.
My suggestion: explicitly exempt xmlrpc.php from the substitution. I’ve done this rather crudely, I’m sure you may have a prettier way of accomplishing the same thing. Here’s the patch that worked for me:
In https.php replace…
$buffer = str_replace($replace_this,$with_this,$buffer);
with…
if(strpos(req_uri(),”xmlrpc.php”) === false) { $buffer = str_replace($replace_this,$with_this,$buffer); }
Presto, my blog editor can now parse the XML being returned by xmlrpc.php.
By the way, this also explains why the problem did not always occur. Some of the blogs didn’t have any images in the posts. No images meant no local URL references. No such references meant no substitutions. No substitutions meant no changes in response length. Everything worked in those cases.
@Eric
Your way may be ‘rather crude’, but I think it might be the simplest way! I’ll look into it, and release a new version. Thanks for bringing it to my attention, I didn’t know anything about xmlrpc.php.
Cheers
bcg
Hi
Just failed to set up Admin SSL on my site running WordPress 2.7.1
I have to run my site on non-standard port (8079) since my provider firewalls incoming connections on port 80.
So my blog URL constains port number – http://yoush.homelinux.org:8079/
My web server is set up to serve SSL connections on port 443, it works outside of wordpress area.
I tried to set up SSL Admin.
First, I selected ‘private ssl’, but that resulted in attempts to access https://yoush.homelinux.org:8079/, which obviously failed.
Then I selected shared ssl and entered URL https://yoush.homelinux.org/wp-admin/
It looked ok. However, then I reloaded my blog’s main page, and it contained admin link still http://, not https://. Logout link was https://, but it did not work: if I clicked on the link, it resulted in an error message with “try again” link pointing to the site’s main page.
Had to disable Admin SSL for now.
Could you please help?
Where do the settings show up in 2.7.1? I can’t seem to find the Admin-SSL config page anywhere. I have it installed and activated. Any help would greatly be appreciated. Thanks for the great plug-in!
@Richard
You can get there either by clicking the ‘Settings’ link in the main Plugins page. Depending on your own setting, it will be under the Plugins menu, or the Settings menu (the default is the Plugins menu).
@Nikita
Can you follow the instructions on the FAQ to enable debug mode and email me the debug log, please?
bcg
Those WP “menus” can be hard to find in 2.7.
After you click on “Plugins” you should see “Admin SSL”.
You can choose to move “Admin SSL” to the “Settings” menu, though. If you do, then click on “Settings” and you will see it.
You can “twist” the little arrows on the right of the section names (“Plugins” or “Settings”) to try to keep them displaying all the time, but this does not always work, in my experience.
@bcg
It does not appear in either of those menus. Does that mean something did not get installed properly?
@Richard
Is it enabled on the plugins page? The plugin must be activated once it is uploaded – once it is activated, the Admin SSL settings link should appear.
@bcg
Yep it is enabled and everything… I have used this plugin with older installations and it worked fine, but for some reason it is just not working in 2.7.1
@Richard
This is very strange, as I am using 2.7.1 myself – are you using the latest version (i.e. 1.4 or above)?
@bcg
yep, i am using the latest version. i have been having an issue with folder permissions, i.e. not being writable, could this be causing a problem?
would you like me to email you instead of clogging up your blog?