Secure WordPress by SSL

   Posted by: techiecat   in Security, Tutorial, Wordpress

Using SSL protocol to protect your critical information, such as user name and password, is a good idea. If you may log to your blog via an unprotected wireless network or you make some directory (e.g. uploads/) writable by WordPres, you’d better use SSL (i.e. using https:// type URL) to encrypt the administration traffic.

If your WordPress blog is hosted by a web-hosting provider, the provider likely has SSL solution for you already. In this article, I would like to share my experience on SSL solution on a self-hosted machine, which use a Fedora system and Apache httpd server.

The best solution in WordPress is probably to use the  Admin SSL Plugin. However, it cannot set up everything for you. I will give a complete tutorial on how to make SSL work for you, including how to get a key and certificate, how to set up SSL module under Apache and how to fix a bug of the Admin SSL Plugin.

  • First, you need to prepare a key file and a certificate file. This article gives a good tutorial on that.
    • If you have purchased a SSL certificate, you should get the files from the vendor. Note that a standard SSL certificate ($29.99 from some verndors) can be used for ONE domain only. That is, it can be used for techiecat.catsgarden.net but not for www.catsgarden.net. If you want to use one SSL certificate for all of your subdomains, you should purchase a wildcard or multiple domain SSL certificate (ranges from $89.99 to more than $400).
    • You can also generate a self-signed key file and certificate file without costing a penny. The only problemI is that the users will be warned by an untrustible certificate. Just ask your users to trust and accept the self-signed certificate. The good news is that the guests who visit your website have no problem, since they browse http:// links only.
    • I summarized the steps to generate a self-signed certificate and key as below. On a Fedora like system, you can use the following commands. $ sudo openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Company/OU=Department/CN=*.example.com'
    • The certificate has a lifetime (1 year in this example). Mark your calendar to mind yourself to renew the certificate after 1 year.
    • Now, make the key file (it should be kept secretly) root readable only $ sudo chown root:root server.key; sudo chmod 600 server.key
  • Then, you need to configure SSL under Apache. You’d better do this step before activating the Admin SSL plugin. Because WordPress will use https:// URL immediately after the plugin is activated. If Apache is not configured using SSL, you’ll fail to access the administration panel.
    • You need enable mod_ssl and configure your domains to handle https traffic under Apache. I found that the best way is to put everything about ssl in a single ssl.conf file and include this file in the main config file (e.g. httpd.conf). You can download this example ssl.conf file.
    • Add a line in the main config file (e.g. httpd.con) like this: Include ssl.conf
    • Restart the Apache httpd server. $ sudo /usr/sbin/apachectl graceful
  • Now, you can download and install the Admin SSL Plugin.
    • After activating the Admin SSL plugin, check “Secure my Site with SSL”. In the URL List box, put something like below.
      Now the everything in wp-includes/, wp-content/, wp-admin/ are protected by https:// links.
      Note that if you have a self-signed certificate, better not include the wp-comments-post.php file here. Otherwise, the guest visitors who try to write a comment will get a warning or error for your certificate.
  • Finally we need to fix a bug of the Admin SSL plugin. If you put your uploads/ directory in the wp-content/ directory, you’ll find that all uploaded images and files are assigned https:// links automatically – since the wp-content/ is protected by https. The guest visitors CANNOT see a picture with a https:// link.
    • The first step of the solution is to make an uploads directory under the blog’s root. Then, change your uploading folder to uploads, instead of wp-content/uplaods, under the Settings->Miscellaneous section. Now the uploading folder should not be protected by https:// link any more.
    • Unfortuantely, there is another bug such that the upload form still generates https:// link for uploaded images and files. This bug is already reported here. I prepared a patch file for your conveniece. You can download the patch file and patch the bug by typing
      $ sudo cp wordpress-2.6-function.php-patch /path-of-your-blog/wp-includes/
      $ sudo cd /path-of-your-blog/wp-includes/
      $ sudo patch -p0 <wordpress-2.6-function.php-patch

      Note that the patch file is for WordPress 2.6 only. It should be fixed in the next version.
    • How about the links to uploaded files in your old posts, pages and sidebar? As long as you do not edit them, they will stay with http:// links. Whenever you edit an old post, page or the sidebar, the links to uploaded files are automatically rewritten to https://. In such case, you’d better move the files to /path-of-your-blog/uploads and change the links.

Congratulation, now enjoy secure blogging!


This entry was posted on Friday, July 25th, 2008 at 2:20 am and is filed under Security, Tutorial, Wordpress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 comments so far

Daniel Craig

Hey, Cool post on e WordPress by SSL | TechieCat, I’m looking forward to reading more of your site.

July 28th, 2008 at 10:09 pm

Actually, you can just edit the Admin-SSL/admin-ssl.php

// $tmp1[] = “wp-content/”; # commented out to unsecure uploads
$tmp1[] = “wp-content/themes/”; # secures themes
$tmp1[] = “wp-content/plugins/”; # secures plugins

Now your uploads are http and you don’t even need the patch.

August 8th, 2008 at 2:10 pm

I am loving it great work just check this

October 1st, 2008 at 3:04 pm

thanks you very much :)

October 4th, 2008 at 3:04 pm

Great blog. I like layout!!!!

October 7th, 2008 at 7:59 am

easy to follow and read. thanks.

October 14th, 2008 at 11:50 pm

One Trackback/Ping

  1. Secure WordPress by SSL    Jul 25 2008 / 4am:

    [...] Go to the author’s original blog: Secure WordPress by SSL [...]

Leave a reply

Mail (will not be published)