See here:
http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working/#comment-32

Sorry for my english.

First you need to determine what setup you are using. Private or Shared SSL. This article is a good primer for anyone that is unsure.

For Private SSL setups you do not need to edit the file, therefore $secure_url should remain empty ie. $secure_url=”".

For Shared SSL setups, you need to first find out if you are given the option for Shared SSL as part of your hosting package. If you have this option, you should look into your web hosts support pages for setup details and the URI of the shared ssl location.

Once you have this address enter it into $secure_url INCLUDING THE WORDPRESS FOLDER ie. $secure_url=”https://secure.example.com/hostUsername/wordpress/”

After that, follow steps 2-4 in the instructions.

Hope that helps.

If you are still unsure what to do contact me. I’d be happy to help. If you include any IM details in your message we can have a live chat to talk things through.

Haris

I am working on a website where I want to have a few pages run through our security certificate, not the entire website just a couple of pages that contain some sensitive form info being processed. I have tried a few methods, including the links_to plugin but nothing seems to work. Any advice you could share would be most appreciated.

Cheers,
Brandon

If you are familiar with .htaccess files you could use mod rewrite to force https on certain pages which you could match in your condition statement. See here.

Or, if you only want one or two pages secured, you could force a redirect in your PHP code.

something like;

< ?php
if($_SERVER["HTTPS"] == "on" && the_title('' , '', false) == 'Contact') {
$newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
header("Location: $newurl");
exit();
}
?>

Hope that helps

Cheers, Brandon

Anyway to get the plugin to exclude from switching to https for a pattern? I’d like to exclude the subscribe to comment plugin from admin-ssl.

Thanks,

Jan Dembowski

I haven’t looked into this before but I’ll take a look.

I’ve recently installed the subscribe to comments plugin myself. What’s the problem you’re experiencing with it?

For administration that’s fine but for posting comments it’s a bit weird. I tried to locate the reference in the subscribe to comments plugin but my PHP is too limited

I’ve turned off the Admin-SSL for testing this out and plan to look at the logs for the POST URL that got switched.

Ill certainly look into this for you on my return.

If, however you want to discuss anything further before I get back you can use the contact form (link top right) I get my emails on the road.

For anyone that would like to know the outcome, I’ll post a comment when we find a solution.

Haris

Go to lines 362 and 363 in admin-ssl.php.

Remove $comment_url and $secure_comment_url respectively (and their commas):
$replace_this = array($admin_url, $login_url, $comment_url);
$with_this = array($secure_admin_url, $secure_login_url, $secure_comment_url);

Let me know if you have any problems

Haris

That worked perfectly, much thanks!

Jan Dembowski

Found one little wrinkle (not a big deal). Removing comment_url amd secure_comment_url does work like a charm but when you manage your subscriptions, the subscribe to comments plugin contains a line

@import url( /wp-admin/wp-admin.css );

gets switched to https.

I’m trying to alter the subcribe to comment plugin to reference a different .css file without much success.

I’m also trying to get function sa_ob_handler to do

if ( $_SERVER[’REQUEST_URI’] == ‘/wp-admin/wp-admin.css’ ) { return; }

Alas my php is not up to task

This is not really a big deal because when you try to manage your subscriptions if you accept or reject the SSL cert the “manage your subcriptions” form still works.

Thanks,

Jan Dembowski

Anything which is behind the /wp-admin directory is a little trickier to change as it ALL gets forced to https.

I’ve written a quick fix for you that should ignore the subscription page for anything that is referenced from it to the wp-admin/ folder.

admin-ssl.php, line 394, add the following before the existing line of code (make sure it’s all on 1 line):
if (!strstr($_SERVER[’QUERY_STRING’], ‘wp-subscription-manager=1′)) add_action(’init’, ’sa_register_ob_handler’);

Let me know how it goes.

That worked perfectly. For URL’s not containing the string ‘wp-subscription=1′, the admin-ssl plugins is engaged and works.

For URL’s that contain that string (the manage your subscription URL) then the action is not added and the URL’s such as http://blog.com/wp-admin/wp-admin.css remain untouched.

Thanks for the really quick turn around, and I think I now know how to add more conditions for bypassing if I need to.

Jan Dembowski

Haris

When I access anything in wp-admin via the regular site, i.e. http://siliconrow.boldlyogingnowhere.org/shadowman/blog/wp-admin/ I get redirected to …where.org/shadowman/shadowman/blog/wp-admin/.

I have two other blogs on the same virtual hosts, both at …where.org/username/blog/, and they have the same problem.

However, I would have never noticed this if I didn’t encounter my first problem, which is that the Login link url on my blog is not generated ‘https’ but instead as ‘http’. This problem, though, only happens on my blog for some reason.

Other than that, the plugin appears to be working great!

Andy

Andy

Thanks for all the work on this!

@ FocalPower, you’re welcome!

Any plans on releasing a new version with these options, perhaps as a configuration feature? This is essential for people using self-signed certificates.

I am intending to update the plugin sometime in the future and include the features you mention. I’m currently busy with other commitments so I can’t say when this will be.

In the meantime you can follow these posts to configure Admin-SSL to your requirements:

For disabling comments being posted through SSL:
http://haris.tv/2007/04/24/admin-ssl-new-wordpress-plugin/#comment-5658

For stopping subscribe-to-comments plugin referencing https urls:
http://haris.tv/2007/04/24/admin-ssl-new-wordpress-plugin/#comment-5696

For the patch that is described in comment #21 above, you have to be careful if you cut and paste.

The line to add is

if (!strstr($_SERVER[’QUERY_STRING’], ‘wp-subscription-manager=1′)) add_action(’init’, ’sa_register_ob_handler’);

Note that the browser is using smart quote marks. When I copied this line into an SSH terminal and the VI editor, the quotes appear as periods. So, check the quote marks after you paste the line.

I applied the “fix” from above (#17) to not use ssl for the comments in order to not ask commenters to accept an untrusted certificate. This has the funny but understandable effect that the logged-in admin cannot comment himself anymore. After all, he is logged in via the https-url and not http that now handles the comments. Therefore Wordpress complains about the missing name and email.

It’s not high priority, but if you have an idea how to easily fix this, it would be welcome.

Regards
Thomas

I’m intending to update the plugin and have noted your request. Not sure when this will be but will update this thread when I do.

Thanks for posting.

Haris

To obtain the updated version visit http://kerrins.co.uk/blog/?p=128

Haris

I found a great……