[wp-hackers] thorough admin SSL

[Mike Little]

On 3 February 2010 21:28, Steve Taylor <steve at sltaylor.co.uk> wrote:

> OK, for this issue I'm resorting to buffering admin output and
> replacing HTTP with HTTPS (a little more refined than that, but you
> get the idea). Seems to work well, except...
>
> How do I hook into the login page footer? admin_head and admin_footer
> - great. I don't need the wp_head and wp_footer, the front isn't SSL.
> login_head - great, halfway there. What about login_footer? I can't
> see a trace of it. Any other options?
>
> thanks,
>
> Steve
>


Steve,
I have encountered this on a project before, in particular, wpmu has several
places hard-coded with 'http' (it also doesn't support a port number in
urls, but that's another project problem I had to solve).

My simple fix was to do it in Apache using mod_substitute - forget output
buffering and all that hassle. Worked like a charm! (I still turned on the
WP settings, and had a bounce-everything-to-https rewrite rule.)

Add the following to wp-config.php

  define( "FORCE_SSL_ADMIN", true );
  define( "FORCE_SSL_LOGIN", true );

Add the following rule to the .htaccess at the root of the site.

  RewriteCond %{HTTPS} ^off$ [NC]
  RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Add the following to the vhost settings in main apache config

  AddOutputFilterByType SUBSTITUTE text/html
  AddOutputFilterByType SUBSTITUTE application/atom+xml
  AddOutputFilterByType SUBSTITUTE text/xml
  AddOutputFilterByType SUBSTITUTE application/xhtml+xml
  Substitute s|http://yourdomain.com|https://yourdomain.com|in

substituting the correct host names.

This was for the whole site served as https , but you could wrap the
substitute stuff in a <location> section to just cover wp-login.php,
wp-register.php and /wp-admin/

Oh, and because this was an existing site with lots of content, I did a
export/search-and-replace/import on the database too.


Hope this helps,


Mike
-- 
Mike Little
http://zed1.com/