Thu 11 Jan 2007
Update (16th April): Now compatible with PHP 5.2.1!
Update (19th April): Now supports Shared SSL certificates!
Update (24th April): Plugin renamed to ‘Admin-SSL’
Haris.tv now sports SSL encryption and my intention is to apply the security to parts of the site that handle sensitive information.
The Story
I’ve been spending a long while looking for the most efficient way to make use of an SSL certificate with WordPress. Although there have been some promising solutions out there, the majority required hacking at the code and didn’t seem elegant enough to me.
I was looking for something in the form of a plugin and found a couple. The first simply forced https:// for all the pages in a WordPress site which I didn’t want. The second (on paper anyhow …erm actually html) was ideal! Secure-Admin written by Ryan Boren of wordpress.org forces SSL for the admin pages and goes about encrypting the cookie contents:
On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.
It also goes a long way to handle translation of http:// to https:// for certain page anchors avoiding security warnings from the browser about mixed (secure and nonsecure) content.
Great! I thought. So I downloaded it and went about the usual installation process.
To my confusion on activating the plugin, I was thrown out of my admin pages to a login screen and, once I logged back in, I could no longer see the admin menu bar. Any admin pages I tried to access would display:
You do not have sufficient permissions to access this page.
To gain control once more and deactivate the secure-admin plugin I simply FTP’d in and deleted the secure-admin.php file.
I found many people complaining of the same problem. At first I thought it was an issue with the WordPress release I was using at the time, 2.0.5, and even posted about this being the likely issue in the WordPress forum. However, I then found that the same problem was apparent with 2.1-Alpha which I subsequently tested. (Also tested 2.0.6 and a few other releases with the same results)
Since there are others complaining of the same issue with no resolution in sight I decided to roll up my sleeves, fire up my favourite PHP debugger and try and solve the mystery.
And I did! The problem, for those that are interested, came down to a call for user details that aren’t delivered intact due to missing functionality. Since the user cannot be identified WordPress locks you out thinking that you are not the administrator. I’ve written in a new function to cover the missing functionality and the user is now verified and all is working!
I don’t know why this functionality was incomplete in the first place. The last update to the plugin was 4 months ago and it may be that it’s no longer maintained. It was certainly well received when announced in this post on the WordPress site.
I’ve made the patched file available to anyone who wants it. I’ve tested it with WordPress 2.0.5, 2.0.6 and 2.1-Alpha so I assume it would work with anything 2.0> I would appreciate compatibility feedback, feel free to post a comment!
Enjoy.
Secure-Admin has been replaced by Admin-SSL. See here
January 12th, 2007 at 1:36 pm
I will kick this around, but on my wp 2.0.6 installation is looks like it works.
Much thanks! I always wanted SSL admin in Wordpress!
January 12th, 2007 at 1:43 pm
You’re welcome! Glad to hear it’s working
January 12th, 2007 at 3:54 pm
Haris, thanks for the pointer! I didn’t follow the secure-admin development.
January 12th, 2007 at 4:01 pm
Hi Juergen, no probs.
I’ve been using your blog to learn about WordPress and Linux in general, cheers for dropping by!
January 13th, 2007 at 3:34 am
This won’t work when you happen to have your blog as a name-based virtual host in Apache or elsewhere. Once you activate the plugin, you won’t be able to access the /wp-admin/ page to deactivate it. To fix, simply removing the plugin php file off the /wp-content/plugins directory, then hit ‘reload’ on the browser.
January 13th, 2007 at 10:06 am
Yes, an SSL setup using a name based virtual host that does not have an equivalent URI to the unsecure site will not work.
The plugin translates addresses by simply changing ‘http’(://unchanged.com) to ‘https’(://unchanged.com)
Thanks for bringing that up Jerry
January 15th, 2007 at 2:14 am
Your analysis of securing the wp-admin is dead on. I ran into the same problem you described and was delighted to see someone else ran into the same limitations with the other plugins and options.
Your plugin resolved my situation. Just wanted to say thank you very much!
January 15th, 2007 at 9:54 am
Glad it’s working well for you Don!
It’s also reassuring for me to know that others have experienced the same issues.
Makes it all the more worthwhile to make a solution available.
January 16th, 2007 at 8:29 pm
Just installed WordPress 2.0.7 and briefly tested with the plugin. Seems OK!
If anyone experiences any issues please post a comment.
January 17th, 2007 at 3:16 pm
Does this plugin do anything besides rewrite URL’s? If not, wouldn’t simply setting the WordPress address to https://yoursite.com/wp and the Blog address to http://yoursite.com/wp achieve the same thing? Everything *appears* to go over the SSL link, but maybe there’s something I’m missing on the backend…
Also, this plugin does not work when installed into the plugins directory of wordpress that’s available in the Debian repositories (2.0.6). After activating the plugin, every page it returns is an empty page, and the only way to get back in is to delete the plugin.
January 17th, 2007 at 6:22 pm
Hi Sam,
>>> Does this plugin do anything besides rewrite URL’s?
Rewriting URLs is a minor feature of the plugin. There’s much more happening on the backend.
I don’t know if you have a facility to stack trace the server calls. If you have, simply call the login page in https (without the plugin) and login. Watch what happens on the backend, there are http calls all over the place. The plugin takes care of this.
The plugin ensures that other elements of the page are also re-written to https, therefore avoiding the mixed content warnings that one gets from the browser when https pages containing http elements are loaded.
The login page is in the same directory as the blog. Therefore you cannot simply apply https to the admin folder as the transfer of login details would be happening on the http side. The plugin takes care of this.
The plugin also ensures cookies are forced over SSL. Cookie contents are scrambled and so anyone trying to view cookies with the intention of stealing user details see gibberish.
>>> This plugin does not work when used with a Debian repository install of Wordpress 2.0.6
Thanks for the info, unfortunately I don’t have Debian Linux setup to run a test. You might want to try out a manual installation of the current stable release, 2.0.7. which should work fine.
Hope that helps.
January 18th, 2007 at 1:49 pm
[…] WordPress SSL Plugin - Secures wp-admin/wp-login using an available Private SSL certificate. Encrypts cookie contents. […]
January 22nd, 2007 at 8:45 pm
Hello,
I was looking for this plugin for a long time already. Until now I was playing with some custom rewrite rules, which didn’t work that great.
However, I have a problem if used together with the gallery plugin (see http://wpg2.galleryembedded.com/index.php/Main_Page). However, if I add the tag to include a picture in one of my posts, the preview on the edit page remains blank. If I remove the tag again, the preview works perfect.
Anybody seen this before?
al:x
January 22nd, 2007 at 11:09 pm
Just installed and tested the latest stable release of WordPress 2.1(Ella) released 30mins ago. The plugin seems to be holding up!
I haven’t run any extensive tests so if anyone experiences any issues please post a comment.
PS. @ Al:x; just sent you an email.
January 23rd, 2007 at 9:10 pm
Ok, I guess I found the cause of my problem. php_value memory_limit was not set in the SSL virtual host config (for the gallery plugin this needs to be at least 16M). As by your plugin everything was forced over SSL now, this abviously became a problem.
January 25th, 2007 at 4:53 pm
I just installed the plug in into WordPress 2.0.7 and am getting the following error on activation
[www.domain.com] has sent an incorrect or unexpected message. Error Code -12263.
January 25th, 2007 at 7:21 pm
[…] Nachdem ich mit meinem rewrite hack mehr schlecht als recht secure-ge-wordpressed habe, habe ich nun mit Hilfe des gepatchten Secure Admin Plugins einen auf den ersten Blick deutlich eleganteren Weg. […]
January 25th, 2007 at 8:15 pm
Hi FinD,
WordPress 2.0.7 should work fine.
Error 12263 points to a problem with the SSL setup on the server.
“SSL received a record that exceeded the maximum permissible length.”
This generally indicates that the remote peer system has a flawed implementation of SSL, and is violating the SSL specification.
If you are running your own web server the following will help:
http://www.helicontech.com/forum/forum_posts-TID-6150.htm
http://www.howtoforge.com/forums/showthread.php?t=9665
http://virtuemart.net/index.php?option=com_smf&Itemid=71&topic=24508.0
If you are on a hosted server this is an issue your host should resolve for you.
To de-activate the plugin whilst you resolve the issue simply delete it from the /plugins/ directory.
January 28th, 2007 at 10:37 pm
[…] After a little research however I found the Wordpress Secure Admin Plugin which is infinitely easy to install and does exactly what it should: It makes sure all URLs in the admin interface are HTTPSed, re-enabling me to log into my blog encryptedly. It also encrypts the login cookie now, reducing the risk of session hijacking. […]
February 7th, 2007 at 7:22 pm
[…] jetzt davon abgewendet von einer permanenten Verschlüsselung Gebrauch zu machen. Das Plugin Secure-Admin hilft einem wenigstens das Backend sicher zu […]
February 10th, 2007 at 3:38 pm
[…] Well, the title is pretty self-explanatory. I’ve updated wordpress to version 2.1. It holds some pretty good new stuff, mostly in the admin area. One thing which I found lacking was ssl support in the admin area. The problem was quickly solved by using the secure-admin plugin. Can be found here: http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working/ […]
February 15th, 2007 at 6:28 am
Hi,
Nice plugin. Thanks a lot.
Does this work with WordpressMu?
Best
February 15th, 2007 at 11:01 am
Hi Lopo, thanks, you’re welcome,
I have never worked with MU so can’t say.
Someone else may have though?
February 20th, 2007 at 12:40 am
Hi…
Will this plugin work with a shared SSL certificate?
Thanks.
February 20th, 2007 at 8:16 am
No, you need a private SSL certificate in order to use the plugin.
Before activating the plugin, you can test if you have the correct setup by typing in your blog address with https instead of http.
If the browser displays your site, you can use the plugin, if it doesn’t, you don’t have the correct setup.
February 23rd, 2007 at 9:34 am
I found it would not work on my wordpress blog hosted on lunarpages. Could anyone recommend a hosting service to me that I could easily use this SSL plugin? Are there hosting services that have the certificate as part of the deal. I need this so badly but am not sure what host or services to get the thing working. thanks.
February 23rd, 2007 at 10:33 am
Doug,
Looking at Lunarpages, I don’t see that any of the plans include a private SSL certificate as standard. The business plan includes ‘Free SSL Installation’ but this doesn’t mean that they include the certificate.
this should help:
http://desk.lunarpages.com/faq.php?do=article&articleid=51
Also bare in mind that you need a private(or personal) SSL certificate NOT ’shared’.
February 23rd, 2007 at 4:16 pm
Doug,
I use Lunarpages, and we have an SSL certificate purchased from Thawte. It works just fine with this plugin. You need a privately purchased SSL certificate.
March 8th, 2007 at 10:34 pm
Just noting, it seems to work just fine on the current wordpress, using it on my e-commerce site
thanks for the great plugin:)
March 10th, 2007 at 1:12 am
[…] Secure Admin […]
April 7th, 2007 at 12:32 am
Hello, My domain.com site is hosted on a shared hosting plan. the hosting company allows us to use a shared certificate (assigned to the server DNS name - servername.domain.com). So if i want to access my site over SSL i can use https://server.domain.com/accountname versus http://mydomain.com. Would it be possible to make this plugin work with two different URLs, one used for HTTP and the other for HTTPS.
April 16th, 2007 at 12:58 pm
For anyone that previously experienced a blank screen with PHP 5.2.1, this has now been resolved.
For those that are interested; the problem was due to a change in PHP 5.2 that causes a fatal error in cache.php (any wordpress plugins that pass content through a filter will also suffer the same fate).
I’ve implemented a fix that forces the cache flushing before the termination of the object.
The current version is now 0.2 (59)
Enjoy!
April 19th, 2007 at 3:54 pm
[…] modify the Secure-Admin code to cater for those that wanted to add SSL security without the need for extra requirements […]
April 19th, 2007 at 4:34 pm
I’ve just uploaded version 0.2(60) of Secure-Admin that now supports Shared SSL setups as well as Private SSL.
The setup is identical as it was before but with the addition of an extra step for Shared SSL setups.
The code is written to allow for any type of Shared SSL url.
The following are examples:
“https://shared_ssl.com/username/”
“https://username.shared_ssl.com/”
To define the url provided by your host simply populate the variable $secure_url in secure-admin.php with the address.
Please ensure that the address includes the root wordpress folder. eg:
$secure_url=”https://shared_ssl.com/username/wordpress/”
@alon, Enjoy!
April 21st, 2007 at 5:36 am
Works Great! Thanks for taking care of the cache issue with PHP 5.2
April 21st, 2007 at 2:22 pm
[…] Admin SSL / Secure-Admin Plugin Secures wp-admin/wp-login using an available Private or Shared SSL certificate. […]
May 26th, 2007 at 10:26 am
Hi Haris,
Thanks for you expertise on this plugin. I have installed the latest from your site and I’m still getting an error of “You don’t have permission to access /wp-admin/ on this server”. Are there any additional steps that needs to be done by me?
May 26th, 2007 at 10:56 am
Hi Paul,
First of all it’s important to determine whether you are setup for using the plugin.
With the plugin de-activated, you should be able to access your blog using a https:// prefix. clicking on any links will return you back to http:// but at least you can determine whether the https:// counterpart is setup.
I suspect that you will get the same message without the plugin. This may be due to your permission settings with your host.
If you still can’t resolve it, contact me via the contact form and I’ll try to help you further. If you include any IM details we can have a live chat.
Haris
June 2nd, 2007 at 2:39 am
Encrypting WordPress Administration…
I’m not overly concerned about the security of this blog. There is no mission critical data here, but I am interested in encryption and using SSL. It makes sense to me, to force all use of the wordpress administration interface over SSL. I tho…
September 16th, 2007 at 12:12 am
[…] with your hosting provider to see if your blog supports SSL, then you can use the WordPress Admin SSL plugin to ensure that you always access your admin panel over an encryped […]
September 26th, 2007 at 2:58 am
[…] at Haris.tv this gentleman fixed the plugin and released a patch version of it which works with 2.0.6 as well […]
April 4th, 2008 at 10:19 pm
I worked for me as well. Thank you very much.
April 23rd, 2022 at 8:37 am
Unlimited Proxies…
I found a great……
May 21st, 2022 at 5:57 pm
Resell Proxies…
I found a great……
November 9th, 2024 at 2:43 pm
zoomacasino-zar.top…
Haris.tv » WordPress SSL Plugin Secure-Admin patched and working!…