major.io words of wisdom from a systems engineer

Requiring SSL encryption for WordPress administration

I was digging around for WordPress plugins last night that would allow me to secure the administrative login page for my WordPress installations. Most of the plugins are only compatible with WordPress 2.7.x or earlier, so I was a little concerned about them working with WordPress 2.8.2.

Then I stumbled upon the WordPress documentation that shows you how to require SSL with no plugins at all. If you’re using WordPress 2.6+, you can use these super-simple instructions:

Require encryption just for the /wp-admin/ login, but leave the rest of the administrative area on HTTP:

# Add this line to wp-config.php
define('FORCE_SSL_LOGIN', true);

To encrypt the login and the entire administrative area:

# Add this line to wp-config.php
define('FORCE_SSL_ADMIN', true);

Of course, for this to work, you’ll need virtual hosts on ports 80 and 443 for your blog. Also, you’ll need an SSL certificate for your blog. You can snag one from a reputable provider or make your own.