Tue 24 Apr 2007
Since patching the Secure-Admin plugin a few months back, the download count and positive feedback has been fantastic.
I’ve recently adapted it to work with PHP 5.2 and, due to popular request, also expanded the featureset to cater for Shared SSL setups.
In light of the expanding featureset I’ve decided to rename the plugin to Admin-SSL to distinguish it from the original.
Features
- Secures Wordpress Login and Admin Pages
- Supports All SSL Setups (Private and Shared)
- Encrypts cookie contents
- Compatible with all versions of PHP 4 and 5
- Easy to install (1 file uploaded)
Limitations
Shared SSL setup does not reflect the user as logged in on the unsecured site.
Step 1b is only for Shared SSL setups, skip for Private SSL
- Download the Admin-SSL plugin (below) and unzip contents
1b. Edit admin-ssl.php to add wordpress location at shared SSL domain
eg: $secure_url=”https://shared_ssl.com/username/wordpress/” - Upload admin-ssl.php to the /wp-content/plugins/ directory
- Log into the WordPress admin panel and click on the Plugins button
- Locate the Admin-SSL listing and click Activate
Download
May 1st, 2007 at 9:37 pm
[…] Admin SSL secures WordPress login and admin pages for that extra bit of security. […]
May 1st, 2007 at 11:37 pm
I get a message saying that the site has sent an incorrect or unexpected message. Error code: -12263. (Following instructions above, without 1b).
May 2nd, 2007 at 7:28 am
That points to a problem with the ssl setup on the server.
See here:
http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working/#comment-32
May 4th, 2007 at 2:06 am
[…] http://haris.tv/2007/04/24/admin-ssl-new-wordpress-plugin/ […]
May 5th, 2007 at 1:47 pm
it’s cool,I used it for my wp-admin,thanks.
May 6th, 2007 at 4:36 pm
[…] Admin SSL asegura las páginas de administración y el inicio de sesión de WordPress para ese toque extra de seguridad. […]
May 8th, 2007 at 12:53 pm
Hi Haris.
I have a problem whit your plugin.
In $secure_url=”", what link i can write?
Link of my website?
If i insert my website (www.url.com) i get an error and i can remove plugin to login in my admin panel.
Thanks.
Sorry for my english.
May 8th, 2007 at 1:34 pm
Hi ales,
First you need to determine what setup you are using. Private or Shared SSL. This article is a good primer for anyone that is unsure.
For Private SSL setups you do not need to edit the file, therefore $secure_url should remain empty ie. $secure_url=”".
For Shared SSL setups, you need to first find out if you are given the option for Shared SSL as part of your hosting package. If you have this option, you should look into your web hosts support pages for setup details and the URI of the shared ssl location.
Once you have this address enter it into $secure_url INCLUDING THE WORDPRESS FOLDER ie. $secure_url=”https://secure.example.com/hostUsername/wordpress/”
After that, follow steps 2-4 in the instructions.
Hope that helps.
If you are still unsure what to do contact me. I’d be happy to help. If you include any IM details in your message we can have a live chat to talk things through.
Haris
May 17th, 2007 at 3:50 am
Haris,
It’s a great plugin, thanks for sharing it. I have a different issue I am hoping you may have some advice on…
I am working on a website where I want to have a few pages run through our security certificate, not the entire website just a couple of pages that contain some sensitive form info being processed. I have tried a few methods, including the links_to plugin but nothing seems to work. Any advice you could share would be most appreciated.
Cheers,
Brandon
May 17th, 2007 at 7:41 am
Hi Brandon,
If you are familiar with .htaccess files you could use mod rewrite to force https on certain pages which you could match in your condition statement. See here.
Or, if you only want one or two pages secured, you could force a redirect in your PHP code.
something like;
< ?php
if($_SERVER["HTTPS"] == "on" && the_title('' , '', false) == 'Contact') {
$newurl = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
header("Location: $newurl");
exit();
}
?>
Hope that helps
May 17th, 2007 at 2:36 pm
Haris, thanks for this. I’ll do a bit of mucking around and see what works best.
Cheers, Brandon
May 17th, 2007 at 2:54 pm
You’re welcome, thanks for dropping by.
May 19th, 2007 at 2:01 pm
Haris,
Anyway to get the plugin to exclude from switching to https for a pattern? I’d like to exclude the subscribe to comment plugin from admin-ssl.
Thanks,
Jan Dembowski
May 19th, 2007 at 2:27 pm
Hi Jan,
I haven’t looked into this before but I’ll take a look.
I’ve recently installed the subscribe to comments plugin myself. What’s the problem you’re experiencing with it?
May 19th, 2007 at 2:33 pm
When I submit a comment, the POST is getting switched to SSL. My SSL cert is self signed so when I submit a comment I get “Do you want to accept this cert?” dialog box.
For administration that’s fine but for posting comments it’s a bit weird. I tried to locate the reference in the subscribe to comments plugin but my PHP is too limited
I’ve turned off the Admin-SSL for testing this out and plan to look at the logs for the POST URL that got switched.
May 19th, 2007 at 2:56 pm
Jan, I’m writing this from my PDA and won’t be back at the computer ’til after the weekend,
Ill certainly look into this for you on my return.
If, however you want to discuss anything further before I get back you can use the contact form (link top right) I get my emails on the road.
For anyone that would like to know the outcome, I’ll post a comment when we find a solution.
Haris
May 21st, 2007 at 9:43 am
Jan, to prevent Admin-SSL passing comments over SSL:
Go to lines 362 and 363 in admin-ssl.php.
Remove $comment_url and $secure_comment_url respectively (and their commas):
$replace_this = array($admin_url, $login_url
, $comment_url);$with_this = array($secure_admin_url, $secure_login_url
, $secure_comment_url);Let me know if you have any problems
Haris
May 21st, 2007 at 6:48 pm
[…] plugin admin-ssl, so that all administration is […]
May 22nd, 2007 at 12:32 am
Haris,
That worked perfectly, much thanks!
Jan Dembowski
May 22nd, 2007 at 10:38 am
Haris,
Found one little wrinkle (not a big deal). Removing comment_url amd secure_comment_url does work like a charm but when you manage your subscriptions, the subscribe to comments plugin contains a line
@import url( /wp-admin/wp-admin.css );
gets switched to https.
I’m trying to alter the subcribe to comment plugin to reference a different .css file without much success.
I’m also trying to get function sa_ob_handler to do
if ( $_SERVER[’REQUEST_URI’] == ‘/wp-admin/wp-admin.css’ ) { return; }
Alas my php is not up to task
This is not really a big deal because when you try to manage your subscriptions if you accept or reject the SSL cert the “manage your subcriptions” form still works.
Thanks,
Jan Dembowski
May 22nd, 2007 at 2:47 pm
Hi Jan,
Anything which is behind the /wp-admin directory is a little trickier to change as it ALL gets forced to https.
I’ve written a quick fix for you that should ignore the subscription page for anything that is referenced from it to the wp-admin/ folder.
admin-ssl.php, line 394, add the following before the existing line of code (make sure it’s all on 1 line):
if (!strstr($_SERVER[’QUERY_STRING’], ‘wp-subscription-manager=1′)) add_action(’init’, ’sa_register_ob_handler’);
Let me know how it goes.
May 22nd, 2007 at 5:09 pm
Haris,
That worked perfectly. For URL’s not containing the string ‘wp-subscription=1′, the admin-ssl plugins is engaged and works.
For URL’s that contain that string (the manage your subscription URL) then the action is not added and the URL’s such as http://blog.com/wp-admin/wp-admin.css remain untouched.
Thanks for the really quick turn around, and I think I now know how to add more conditions for bypassing if I need to.
Jan Dembowski
May 22nd, 2007 at 5:20 pm
That’s good news. Thanks for the follow up!
Haris
May 25th, 2007 at 9:14 pm
Thanks a lot for this plugin!!! That’s exactly this, what I was looking for! =)
May 27th, 2007 at 1:01 pm
I’ve noticed a problem in your plugin.
When I access anything in wp-admin via the regular site, i.e. http://siliconrow.boldlyogingnowhere.org/shadowman/blog/wp-admin/ I get redirected to …where.org/shadowman/shadowman/blog/wp-admin/.
I have two other blogs on the same virtual hosts, both at …where.org/username/blog/, and they have the same problem.
However, I would have never noticed this if I didn’t encounter my first problem, which is that the Login link url on my blog is not generated ‘https’ but instead as ‘http’. This problem, though, only happens on my blog for some reason.
Other than that, the plugin appears to be working great!
Andy
May 28th, 2007 at 8:28 am
Found the problem with the “Login url not getting rewriten to https://” bug: it does not work if the “WordPress should compress articles (gzip) if browsers ask for them” option on the Options -> Reading page is enabled.
Andy
May 28th, 2007 at 7:44 pm
Great plugin. Just like everyone else, this is exactly what I was looking for to secure my blog!
Thanks for all the work on this!
May 28th, 2007 at 7:55 pm
@ Andy thanks for posting that and the followup!
@ FocalPower, you’re welcome!
May 30th, 2007 at 11:16 pm
I am also using this plugin but require the features discussed for disabling https when comments are submitted or subscribed to.
Any plans on releasing a new version with these options, perhaps as a configuration feature? This is essential for people using self-signed certificates.
May 31st, 2007 at 8:00 am
Hi Andrew,
I am intending to update the plugin sometime in the future and include the features you mention. I’m currently busy with other commitments so I can’t say when this will be.
In the meantime you can follow these posts to configure Admin-SSL to your requirements:
For disabling comments being posted through SSL:
http://haris.tv/2007/04/24/admin-ssl-new-wordpress-plugin/#comment-5658
For stopping subscribe-to-comments plugin referencing https urls:
http://haris.tv/2007/04/24/admin-ssl-new-wordpress-plugin/#comment-5696
May 31st, 2007 at 6:03 pm
Here is a warning.
For the patch that is described in comment #21 above, you have to be careful if you cut and paste.
The line to add is
if (!strstr($_SERVER[’QUERY_STRING’], ‘wp-subscription-manager=1′)) add_action(’init’, ’sa_register_ob_handler’);
Note that the browser is using smart quote marks. When I copied this line into an SSH terminal and the VI editor, the quotes appear as periods. So, check the quote marks after you paste the line.
June 3rd, 2007 at 1:31 pm
[…] to create a WordPress plugin that secured the access to the admin area. The plugin is called Admin-SSL. The plugin supports both shared and private SSL […]
June 4th, 2007 at 12:56 am
[…] blog are served through https. Ah, well. Let’s see if this is better now. I finally found a plugin for wordpress, that allows to keep the admin pages on secure http and the blog on plain […]
June 6th, 2007 at 3:34 pm
First of all thank you for the great plugin.
I applied the “fix” from above (#17) to not use ssl for the comments in order to not ask commenters to accept an untrusted certificate. This has the funny but understandable effect that the logged-in admin cannot comment himself anymore. After all, he is logged in via the https-url and not http that now handles the comments. Therefore Wordpress complains about the missing name and email.
It’s not high priority, but if you have an idea how to easily fix this, it would be welcome.
Regards
Thomas
June 6th, 2007 at 3:42 pm
Hi Thomas,
I’m intending to update the plugin and have noted your request. Not sure when this will be but will update this thread when I do.
Thanks for posting.
Haris
June 30th, 2007 at 2:24 pm
[…] Haris has some info about Admin-SSL : New Wordpress Plugin at Haris.tv. Posted in Carnivals, Community Events Bookmark the permalink. Follow any comments […]
July 17th, 2007 at 1:52 pm
[…] configure. I had the plugin installed and configured in minutes. I highly recommend this one. The Admin-SSL plugin, gave us the security around the login that we […]
August 1st, 2007 at 3:31 pm
Thanks for this plugin. It works great with my shared GoDaddy hosting. I purchases their TurboSSL certificate.. Awesome stuff…
August 24th, 2007 at 9:29 am
[…] K2 advanced template for Wordpress (customized to not show any version numbers on this site), Admin-SLL for securing login and admin pages with SSL and Spam Karma 2 to stop all forms of automated Blog […]
September 30th, 2007 at 9:12 am
[…] Admin SSL - Secures Login and Admin pages using Private or Shared SSL […]
October 12th, 2007 at 4:28 am
[…] Admin SSL This plugin adds security to your login and admin pages through SSL. […]
October 23rd, 2007 at 7:13 pm
Thank you for updating this plug-in! I couldn’t use secure-admin because it blanked out my field labels, but this one works great.
November 13th, 2007 at 8:57 am
[…] vez configurado el virtualhost con SSL, he añadido el plugin Admin-SSL a mi blog para redireccionar la web de administracion sobre […]
December 30th, 2007 at 2:19 am
[…] anscheinend keine Priorität. Zum Glück gibt es seit April wieder das Admin-SSL-Plugin. Um unverschlüsselte Verbindungen auf den Unterordner wp-admin ganz zu verhindern, ist […]
January 26th, 2008 at 11:23 pm
[…] WordPress admin SSL plugin which I use since I turned off SSL for most of the site Posted by Andrew Armstrong on Saturday, January 26, 2008, at 23:23, and filed under Site. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. […]
March 11th, 2008 at 8:13 pm
Excellent! Plugged it in, turned it on, poof! Works beautifully. Thanks!
April 10th, 2008 at 12:27 pm
Due to other commitments I am no longer able to update/support this plugin. However, Ben Green has kindly offered to continue updating it and has polished it up for Wordpress 2.5.
To obtain the updated version visit http://kerrins.co.uk/blog/?p=128
Haris
April 11th, 2008 at 12:21 am
Haris, thanks for this. I’ll be checking out Ben Green’s page since I recently upgraded to wordpress 2.5.
November 29th, 2009 at 3:14 pm
[…] This plugin enhances the security level of the admin and wordpress login pages. Read more at this link. - Supports All SSL Setups (Private and Shared) - Encrypts cookie contents - Compatible with all […]
January 7th, 2022 at 3:43 pm
Best Private Proxy Service…
I found a great……