How to easily enable SSL for your wp-admin folder
With the growing number of free wifi cafes and people managing their WordPress blogs, tweeting, and updating their Facebook statuses, security should be at the top of one's list....so you would think.
At home most everyone has a wireless security-enabled network which protects you, but what most people don't realize is the free wifi networks can be dangerous since there's no encryption.
I'm no hacker, but my curiousity got the best of me and I wanted to see how easy it was to "packet sniff" on public wireless networks.
Here's the scenario:
- I'm sitting at my local Starbucks connected to their free wifi.
- I launch my free packet sniffer software & a firefox plugin
- In comes all sorts of data including clear text logins and passwords!
I was basically able to hijack someone's Facebook account (but of course didn't do anything malicious) and was only there for about 20 minutes. What if someone was logging into their WordPress site while I was sniffing the data? I'd probably be able to grab their username & password!
So what's my point?
Be aware of your surroundings and don't think a simple firewall on your laptop will prevent hackers in public places from accessing your data. Open wifi networks do not encrypt your data going back and forth (unless you're accessing a https site). It's almost like announcing your login credentials out-loud while you're logging in.
Here's my solution
For your WordPress site it's pretty simple. Enable and force SSL usage for your user logins. You can do this by setting the WordPress constant FORCE_SSL_LOGIN to true in your
wp-config.php file.
Code:
define('FORCE_SSL_LOGIN', true);
To also enable and force SSL usage for your admin area, you can add the WordPress constant FORCE_SSL_ADMIN and set it to true in your
wp-config.php file.
Code:
define('FORCE_SSL_ADMIN', true);
Which should you use?
FORCE_SSL_LOGIN is for when you want to secure logins so that passwords are not sent in the clear, but you still want to allow non-SSL admin sessions (since SSL can be slow).
FORCE_SSL_ADMIN is for when you want to secure logins
and the admin area so that both passwords and cookies are never sent in the clear. This is the most secure option.
Note: Not all hosting providers allows you to use SSL, however. I know that HostGator does so you'll want to check with your host first. Specifically ask if your server has the SSL module enabled. A quick test would be to enter your website url using https instead of http.
SSL certificate
If your server supports SSL then you can also purchase an SSL certificate from a third party like GoDaddy. It's not required and probably not worth the hassle if you're the only one that's going to be using your WordPress login.
Without an SSL certificate you will just get a message in your browser that says something like, "the security connection isn't verified...blah blah blah". You can usually just add an exception so that message won't pop up again.
Your connection will still be secure, it's just not verified which is fine because you're the only one needing the SSL. If you were running a site that processes credit cards or requires secure logins for customers, then you'd want to invest in an SSL cert and have your host provider install it for you.
Great SSL FireFox plugin
For general protection, I recommend installing a FireFox plugin called,
Force-TLS. I use it all the time. It's a way to force any site(s) you define to automatically use SSL.
For example, if I type in
http://www.facebook.com, my browser automatically changes that to,
https://www.facebook.com
This will ensure that my Facebook login/password will never be openly sent over a public wifi.
For more details and advanced info on WordPress SSL, check out their
Administration Over SSL Codex article.
Last edited by dcowgill; January 13th, 2011 at 10:46 PM.
Reply With Quote
Originally Posted by dcowgill
