Home | Setup | FAQ | History | Reset
Welcome to the homepage of the Admin SSL plugin for WordPress.
For a history of the plugin, please go here.
For setup instructions, please go here.
If you are having problems, please read the FAQ before posting.
If you need to reset Admin SSL, please go here.
The latest release, 2.0, supports WordPress 3.0+. Please note that if you upgrade from a previous version, SSL support will be disabled after the upgrade. This is due to the large coding changes required to support WordPress 3.0+.
Please also note that support for Shared SSL has been removed – if you follow this plugin you will know my hosting provider removed it so I can no longer test it. So in order to make the plugin work with 3.0+ I have had to remove Shared SSL support.
If I could be cheeky, and you would like to make a donation (for all my hard developing!), please use the PayPal donate button below:
Features
- Forces SSL on all pages where passwords can be entered.
- Works with Private SSL only.
- Custom additional URLS (e.g. wp-admin/) can be secured through the config page.
- You can choose where you want the Admin SSL config page to appear!
- Works on WordPress 3.0 – 3.1.1; for previous versions of WordPress please use version 1.4.1, but note it is no longer supported – you should upgrade to the latest WordPress version.
- Other options can be defined on the new configuration page.
- Reset, debug and test modes for troubleshooting.
Downloads
The following downloads are hosted by wordpress.org.
2.0 – The latest stable version, with all the above features.
1.4.1 – The previous stable version, works with WordPress up to 2.9 and supports Shared SSL. (NB the only way I could get Admin SSL to work in WP 2.6+ was to get it to disable the new WordPress authentication cookies, and use the ones from 2.5.1. I personally prefer SSL than the cookie weirdness of 2.6+, but it's up to you.)
If you prefer, you can use the SVN repository. The releases are in the 'tags' subdirectory, the development version in 'trunk'.
I offer as much support as I can, but this is an activity I do in my spare time, so please be patient!
Known Issues
- Admin SSL has 'erratic' behaviour when WordPress is not installed in the same directory as the WordPress URL. This is because of the way the WordPress canonical redirection functions work. I have not yet been able to overcome these.
- The login page (and other admin pages) can be secured, but nothing on the site side.
Screenshots
Secure login page.
Secure plugins screen, with Admin SSL enabled.
design © bcg mmxi
Hi, I want to use the plugin with wordpress mu (2.7), but I get an error saying “Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.”. Am I doing somehting wrong?
I think this might have to do with that I’m running httpd on RHEL (Red Hat Enterprise Linux). It seems to work fine on a debian install. When I turn on debugging it has a lot of ### ADMIN SSL BEGINS ### for ONE page reload! It seems not to understand that it already is https we’re talking..
@Bjørge
It may well be the SSL detection that’s playing up – have you got the right variables on the Admin SSL options page?
I had an error in my configuration resulting in $_SERVER["HTTPS"] not beeing set to “on”. Fixed now.
Another issue:
“Please note that installiation of Admin SSL on WPMU is only possible for Site Administrators”
What do you mean by this?
Can I not secure all admin sites on all blogs?
Regards
Bjørge
@Bjørge
It means that the Admin SSL options will only be available to users with admin rights. It will by default secure the admin pages of all users – but only administrators can edit Admin SSL options (e.g. turn SSL off).
bcg
@bcg
My problem is exactly that; I get ssl on b.uib.no/wp-admin, but not on anythingelse.b.uib.no/wp-admin. I noticed when I turned on logging that this appears in the log file:
Is WPMU: No
Could there have been changes in WPMU 2.7 that makes the variable global $plugins_dir be plugins, not mu_plugins?
Also, the Admin SSL setup configurator appears in the b.uib.no blog, not in the “Site Admin” bar.
Bjørge
I talked to donncha (maintainer of wpmu) and the way you check if you are in a wpmu-install is not the recommended one:
in function is_wpmu you should check for the presence of either function is_site_admin or the variable $wpmu_version
Bjørge
Sorry. It works, I played with a symlink in mu-plugins instead of copying the file. This altered $dir to admin-ssl (should be mu-plugins).
Hi – I’m having trouble.
I secured my checkout page but get the following error:
Forbidden
You don’t have permission to access /index.php on this server.
Apache/2 Server at web103.secure-secure.co.uk Port 443
This is the URL:
https://web103.secure-secure.co.uk/turnkeytelecom.com/products-page/checkout
Have tried it with and without a trailing URL.
@Hampstead
It sounds like there is a problem with your hosting company setup – have you contacted them to ask if they have any ideas?
bcg
Hi bcg,
on March 3rd I was detecting an error in my working enviroment – Using WP 2.7.1 and AdminSSL 1.4.1 with shared SSL – ending in a redirect loop…
Was my logfile helpful and did you get any news by now?
Thanks for the update,
Jens
@Jens
I haven’t had a moment to do any work on Admin SSL for a while now – I’ll try and do some this week maybe, and get back to you. Sorry about that!
bcg
I’m running mu 2.7.1 and private SSL with a self-signed cert during testing. The download is the latest from wp.com.
It is working perfectly with the exception of new blog activations. When I click the activation link in the email, I end up getting sent back to the site home page and the blog never gets activated or created in the database.
I went ahead and activated the debug log. It’s empty.
Any ideas?
@Scott
Can you send me a copy of the two activation emails please, one with Admin SSL enabled, the other with it disabled?
Cheers
bcg
Further to this issue – I found that the activation link works just fine if I disable admin-ssl first. The activation link looks something like – http://newblog.mysite.com/wp-activate.php?key=12345678
I also found that it would work just fine with admin-ssl enabled if I removed the subdomain from the url and directed it right at the main site – http://mysite.com/wp-activate.php?key=12345678
Thanks!
i’ve posted my problem at here : http://wordpress.org/support/topic/265920 ..so please give solutions. thank you so much.
I set up Admin SSL then went to change the options on my theme, Atahualpa, and all I got was a blank white page. Any help?
Thanks,
Kurt
@ Kurt
Hi I have Admin SSL installed with Atahualpa theme on a client’s site and the Atahualpa theme options page does work OK so your problem is specific to your site, not a general conflict between the two.
Hi,
I’m using 1.4.1 with shared SSL and was getting endless redirect loop.
My webhost is 1&1 and when using shared ssl, the blog url becomes https://ssl.perfora.net/myblog.com/. The check “host() !== $url["host"])” on line 186 of https.php was always failing because host() is myblog.com and $url["host"] is ssl.perfora.net. So, I commented out that check to break the redirect loop.
-V
This might help other folks trying to use admin-ssl with 1and1 using shared ssl.
Secure my site with SSL [check]
Shared SSL [check]
Shared SSL URL [https://ssl.perfora.net/myblog.com/wp-admin]
HTTPS Detection
HTTPS $_SERVER variable name [HTTP_X_FORWARDED_SERVER]
HTTPS $_SERVER variable value [ssl.perfora.net]
All options need to be entered without [ ]
@VC: Thanks for your work and for posting your solution!
I can say it works for me to
For the hoster all-inkl you only have to alter
HTTPS $_SERVER variable value to [ssl-account.com]
By now it works like a charme and I want to say thanks again for this great plugin and this solution!
Cheers,
Jens
I am using this on a WP install for a client. Whoever originally installed wordpress didnn’t install WP in the root directory, but rather the directory /wp. but WP publishes to the Root. So if I want to go to the admin I type domain.com/wp/wp-admin. If I want to visit the site I type domain.com.
When I turn on admin SSL it forces a redirect of domain.com -> domain.com/wp/ which produces a 404. It also does a weird rewrite of the URLs in additional URLs. if my URL is domain.com/additional-URL/ it rewrites the URL domain.com/wpditional-URL Notice how it truncates part of the address as it places in the WP.
My question is there any way to get the plugin to ingnore the /wp/ for page level enforcement? I really don’t want to move the WP install as there would be lots of referential issues I would have to untie.
Thanks for the help
Hi, I want to use the WordPress MU Domain Mapping plugin for WPMU. It is made by the lead developer of WPMU. http://ocaoimh.ie/wordpress-mu-domain-mapping/
My problem is that I use Admin SSL too, and the combination of these two fails miserably (redirect loop). Has anyone else had any success in using these together? Using them one at a time is no problem.
I use WPMU 2.7.1.
Hope you have some ideas!
Regards
Bjørge
Same for me. For that reason and for the problem I posted previously about, I ended up using the force SSL Login setting in wp-config.
Hello!
I just installed Admin SSL
I am running WP 2.7.1, latest downloadable Admin SSL with private SSL.
I just can’t seem to get it working :3 whenever I login with https, it says I have an infinite loop. Normal still working fine, plugin enable and I can still browse all areas, just not in SSL (https).
I tried disabling all addon but no dice. I’ve also tried to temporarily disable mod_rewrite, no dice. I’ve also google and people tell me to do silly things such as open and saving options-permalinks.php and yet still no dice.
I’ve read quite a few pages here and no help
? Any help could be appreciated.
Any ideas what could be wrong
I could email you a debug log if that helps.
Thanks again
@Maiev
Have you checked the HTTPS detection server variable key/value pair?
bcg
Hay bcg,
I took some time to examine what you said + previous post
got my answer XD
A.W.S.
8 August 2008 at 11:17pm
Thanks for a great plug-in. I hope this gets rolled into the core WordPress distribution. Especially considering how many people update their blogs on coffee shop wi-fi and other untrusted networks.
I would like to point out that version 1.1 of the plug-in does not work with Apache 1.3 out of the gate. This is probably the issue that @TFB ran into. Basically, Apache 1.3 (which a lot of hosting companies use) doesn’t have the HTTPS variable available. (Look under “specials” in the mod_rewrite 1.3 documentation (http://tinyurl.com/fgsge) and the 2.0 documentation (http://tinyurl.com/kawns) for confirmation.)
Assuming that the hosting provider runs HTTPS over port 443, a fix for this in the Admin-SSL plugin under “Other Settings” -> “HTTPS Detection” is to set:
“The name of the HTTPS $_SERVER variable” = “SERVER_PORT”
(without the quotes),
and:
“The value of the HTTPS $_SERVER variable when HTTPS is ON” to:
“443? (again, without quotes)
I set my HTTPS $SERVER variable as Server Port, then the port being the “actual” port of the SSL, being some weird numbers and got it working
ur plugin rocks! thanks again and sorry to bother u
now just gotta find the donate button XD
Hi, I found a bug in this plugin.
I reported the bug with a patch on WordPress forum:
http://wordpress.org/support/topic/267385
Please look.