Skip to content

WordPress 2 and SSL

I prefer to have the admin section of my WordPress installation secure. It just makes me feel better. Then WordPress 2.0 came along and caused a few issues. I think I’ve gotten around them.

When I originally installed WordPress, I simply had two virtual hosts (one secure and one unsecure) in my apache configuration. I simply redirected the pages I wanted secured to the secure vhost when they were requested on the unsecure vhost.

The config looks something like this:

RewriteRule ^(/wp-admin/.*) https://spew.whalespine.org$1$2 [L]
RewriteRule ^(/wp-login.php) https://spew.whalespine.org$1$2 [L]
RewriteRule ^(/wp-register.php) https://spew.whalespine.org$1$2 [L]

This worked fairly well before the 2.0 release of WordPress. The only issue I had was with some of the admin options and the enable sending referrers error. The workaround for the problem was to temporarily set the site uri to the secure url. Then I would set it back to the unsecure url, if I remembered, so that the main (non-admin) site didn’t have some secure urls (eg for stylesheets) buried in the unsecure site. Hardly a nice solution, but it worked for me.

Then came WordPress 2.0. I still got the errors about enabling sending referrers, but I could no longer change the site uri without getting this error (as I had before). Since I couldn’t temporarily change the siteuri anymore, I wasn’t able to things like delete posts, activate/deactive plugins etc, which obviously was a problem. So I began to look for a solution and found this which describes the problem and presents a fairly good solution. It involves what I had already done with apache (redirect to the secure site for the admin pages) along with applying a patch to WordPress. Check out the details here.

Things are now working somewhat ok. I have experienced a few problems however related to the fact that the patch above causes cookies to only be sent over a secure connection. This means that on the main page it shows the “Login” link at all times regardless of whether I am logged in or not. Another issue, which I believe is related to the cookie handling is that the post preview is broken on the Write Post page. It simply says the post cannot be found.

Despite these problems, I’m so far happy with the solution. At least all my admin functionality is available and switching back and forth between secure and unsecure seems to work fine.

Update: I figured out I didn’t follow the instructions exactly as described. I failed to do the mod_proxy part which Juergen says is the reason the preview doesn’t work. Also the Login link issue is caused by the use of secure cookies and is unavoidable. I’ll stick with this solution for now and see if it frustrates me.