[wp-hackers] thorough admin SSL

Steve Taylor steve at sltaylor.co.uk
Tue Feb 2 00:16:27 UTC 2010


I'm spending a lot of time tracking down the source of various non-SSL
URLs coming up in admin pages.

I'm using FORCE_SSL_ADMIN in wp-config.php, of course, but this
doesn't seem to be enough. This kind of issue seems to happening with
a few plugins:

http://wordpress.org/support/topic/297488?replies=2

I can't for the life of me track down why WP_PLUGIN_URL isn't getting HTTPS set.

Anyway, there seem to be quite a few more non-HTTPS URLs in my source
(JS or CSS includes), so before I spend more time and hack more
plugins I thought I'd step back and consult everyone.

My set-up (before hacking plugins) is to set FORCE_SSL_ADMIN to true
in wp-config.php, and I've added a little custom plugin with this
code:

function slt_adminURL( $value ) {
	if ( is_admin() && FORCE_SSL_ADMIN && substr( $value, 0, 8 ) != "https://" )
		$value = str_replace( "http://", "https://", $value );
	return $value;
}
add_filter( 'option_siteurl', 'slt_adminURL', 0 );
add_filter( 'option_url', 'slt_adminURL', 0 );

I see that http://wordpress.org/extend/plugins/admin-ssl-secure-admin/
is unanimously voted as broken, and
http://wordpress.org/extend/plugins/secure-admin/ looks even less
promising. Has anyone pursued this to the bitter end? Any hints to
help my end be less bitter? ;-)

This seems to be a critical issue. If you use HTTPS on admin - a very
good idea - and have public users, it's just not good company PR to
have the "Do you want to display insecure items?" prompt popping up.
Even worse, AFAIK IE recently switched the default response from "Yes"
to "No". Clearly IE is atypically correct here - the issue is surely
with WP and / or plugins.

Thanks for any feedback...


More information about the wp-hackers mailing list