[wp-hackers] thorough admin SSL
Mike Little
wordpress at zed1.com
Wed Feb 3 22:50:06 UTC 2010
On 3 February 2010 21:28, Steve Taylor <steve at sltaylor.co.uk> wrote:
> OK, for this issue I'm resorting to buffering admin output and
> replacing HTTP with HTTPS (a little more refined than that, but you
> get the idea). Seems to work well, except...
>
> How do I hook into the login page footer? admin_head and admin_footer
> - great. I don't need the wp_head and wp_footer, the front isn't SSL.
> login_head - great, halfway there. What about login_footer? I can't
> see a trace of it. Any other options?
>
> thanks,
>
> Steve
>
Steve,
I have encountered this on a project before, in particular, wpmu has several
places hard-coded with 'http' (it also doesn't support a port number in
urls, but that's another project problem I had to solve).
My simple fix was to do it in Apache using mod_substitute - forget output
buffering and all that hassle. Worked like a charm! (I still turned on the
WP settings, and had a bounce-everything-to-https rewrite rule.)
Add the following to wp-config.php
define( "FORCE_SSL_ADMIN", true );
define( "FORCE_SSL_LOGIN", true );
Add the following rule to the .htaccess at the root of the site.
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Add the following to the vhost settings in main apache config
AddOutputFilterByType SUBSTITUTE text/html
AddOutputFilterByType SUBSTITUTE application/atom+xml
AddOutputFilterByType SUBSTITUTE text/xml
AddOutputFilterByType SUBSTITUTE application/xhtml+xml
Substitute s|http://yourdomain.com|https://yourdomain.com|in
substituting the correct host names.
This was for the whole site served as https , but you could wrap the
substitute stuff in a <location> section to just cover wp-login.php,
wp-register.php and /wp-admin/
Oh, and because this was an existing site with lots of content, I did a
export/search-and-replace/import on the database too.
Hope this helps,
Mike
--
Mike Little
http://zed1.com/
More information about the wp-hackers
mailing list