Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

User:Currance/Wordpress Secure Login Hack

This article is a ROUGH DRAFT. The author is still working on this document, so please do not edit this without the author's permission. The content within this article may not yet be verified or valid. This information is subject to change.

UPDATE : Admin-SSL Plugin (formerly Secure-Admin) makes use of installed Private or Shared SSL certificate


I wanted to make sure logging into my Wordpress admin page was done over a secure (HTTPS) connection so I performed this little hack on my Wordpress installation. I already had my Apache configured to support SSL encryption for the Wordpress site (configuring Apache/SSL is outsite the scope of this tutorial) so all I needed to do was tell Wordpress to use the HTTPS port when connecting to the admin interface. Here is how I did it.

This tutorial requires two steps:

  1. Add a securesitreurl entry to the options table for your Wordpress installation
  2. Modify template-functions-general.php to make use of the securesiteurl for logging in


Step 1:

Modify the options database table for your Wordpress installation by adding the following table entry (be sure to change <your_wordpress_db_prefix> and <your_siteurl> to meet your needs; the following syntax is the single mysql statement I used):

INSERT INTO <your_wordpress_db_prefix>_options VALUES
(65,0,'securesiteurl','Y',1,'https:<your_siteurl>',20,8,
'Secure Wordpress web address',1,'yes');

I added my securesiteurl entry as number 65 which just happened to be the next one after the last in my original installation.


Step 2:

Modify the function wp_loginout in the file template-functions-general.php to include your new securesiteurl option. As an example I have the original code snippet and the modified version from a Wordpress:

Original:

function wp_loginout() {
  global $user_ID;
  get_currentuserinfo();

  if ( == $user_ID) :
    $link = '<a href="' . get_settings('siteurl') . '/wp-login.php">' . __('Login') . ;

Modified to use "securesiteurl":

function wp_loginout() {
 global $user_ID;
 get_currentuserinfo();

 if ( == $user_ID) :
   $link = '<a href="' . get_settings('securesiteurl') . '/wp-login.php">' . __('Login') . ;

Now you should be able to refresh your browser and click the Login link and it should point to your HTTPS site.

Let me know if you find this tutorial useful (mrcls_at_satellitecastle.org).

This article is marked as in need of editing. You can help Codex by editing it.