SSL SecurityUpdate (16th April): Now compatible with PHP 5.2.1!
Update (19th April): Now supports Shared SSL certificates!

Update (24th April): Plugin renamed to ‘Admin-SSL’ now sports SSL encryption and my intention is to apply the security to parts of the site that handle sensitive information.

The Story
I’ve been spending a long while looking for the most efficient way to make use of an SSL certificate with WordPress. Although there have been some promising solutions out there, the majority required hacking at the code and didn’t seem elegant enough to me.

I was looking for something in the form of a plugin and found a couple. The first simply forced https:// for all the pages in a WordPress site which I didn’t want. The second (on paper anyhow …erm actually html) was ideal! Secure-Admin written by Ryan Boren of forces SSL for the admin pages and goes about encrypting the cookie contents:

On a technical level, what we’ve done is restricted your login cookies to be SSL-only, which means they will never be transmitted in the clear, and we’re encrypting the cookies sent in the clear to make it difficult for anyone to impersonate your login.

It also goes a long way to handle translation of http:// to https:// for certain page anchors avoiding security warnings from the browser about mixed (secure and nonsecure) content.

Great! I thought. So I downloaded it and went about the usual installation process.

To my confusion on activating the plugin, I was thrown out of my admin pages to a login screen and, once I logged back in, I could no longer see the admin menu bar. Any admin pages I tried to access would display:

You do not have sufficient permissions to access this page.

To gain control once more and deactivate the secure-admin plugin I simply FTP’d in and deleted the secure-admin.php file.

I found many people complaining of the same problem. At first I thought it was an issue with the WordPress release I was using at the time, 2.0.5, and even posted about this being the likely issue in the WordPress forum. However, I then found that the same problem was apparent with 2.1-Alpha which I subsequently tested. (Also tested 2.0.6 and a few other releases with the same results)

Since there are others complaining of the same issue with no resolution in sight I decided to roll up my sleeves, fire up my favourite PHP debugger and try and solve the mystery.

And I did! The problem, for those that are interested, came down to a call for user details that aren’t delivered intact due to missing functionality. Since the user cannot be identified WordPress locks you out thinking that you are not the administrator. I’ve written in a new function to cover the missing functionality and the user is now verified and all is working!

I don’t know why this functionality was incomplete in the first place. The last update to the plugin was 4 months ago and it may be that it’s no longer maintained. It was certainly well received when announced in this post on the WordPress site.

I’ve made the patched file available to anyone who wants it. I’ve tested it with WordPress 2.0.5, 2.0.6 and 2.1-Alpha so I assume it would work with anything 2.0> I would appreciate compatibility feedback, feel free to post a comment!


Secure-Admin has been replaced by Admin-SSL. See here