[wp-hackers] thorough admin SSL

[Steve Taylor]

Mike, many thanks for those. I was using FORCE_SSL_ADMIN but I didn't
know about FORCE_SSL_LOGIN.

I don't manage the server, I'll check with the admins about maybe
using mod_substitute. Sounds like a good idea.

cheers,

Steve

On 3 February 2010 22:50, Mike Little <wordpress at zed1.com> wrote:
> Steve,
> I have encountered this on a project before, in particular, wpmu has several
> places hard-coded with 'http' (it also doesn't support a port number in
> urls, but that's another project problem I had to solve).
>
> My simple fix was to do it in Apache using mod_substitute - forget output
> buffering and all that hassle. Worked like a charm! (I still turned on the
> WP settings, and had a bounce-everything-to-https rewrite rule.)
>
> Add the following to wp-config.php
>
>  define( "FORCE_SSL_ADMIN", true );
>  define( "FORCE_SSL_LOGIN", true );
>
> Add the following rule to the .htaccess at the root of the site.
>
>  RewriteCond %{HTTPS} ^off$ [NC]
>  RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
>
> Add the following to the vhost settings in main apache config
>
>  AddOutputFilterByType SUBSTITUTE text/html
>  AddOutputFilterByType SUBSTITUTE application/atom+xml
>  AddOutputFilterByType SUBSTITUTE text/xml
>  AddOutputFilterByType SUBSTITUTE application/xhtml+xml
>  Substitute s|http://yourdomain.com|https://yourdomain.com|in
>
> substituting the correct host names.
>
> This was for the whole site served as https , but you could wrap the
> substitute stuff in a <location> section to just cover wp-login.php,
> wp-register.php and /wp-admin/
>
> Oh, and because this was an existing site with lots of content, I did a
> export/search-and-replace/import on the database too.
>
>
> Hope this helps,
>
>
> Mike
> --
> Mike Little
> http://zed1.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>