First off, this can be done, but without some minor issues. And this solution is probably more fit for those who are techy and understand the Internet. It would be more trouble for support if the solution is handed over to a client who does not have much basic internet knowledge.
With that out of the way, I was looking for a solution so that when I log into my site’s admin area, I can be sure that my username and password are encrypted, and after logging, my authenticated cookie for the admin area would be sent securely via HTTPS. Plus, I want the front-end traffic to still use the unencrypted HTTP protocol for any public posts and pages. I wanted this because my SSL certificate has expired, and I did not update my payment information for it to be renewed, so they took the SSL away from my site.
I faced two issues 1) I could not get to my site’s admin area because the login enforces SSL (automatically redirects from http to https for the login page), and the SSL was not working; 2) when I could disable the forcing of SSL for login and admin area, do I want to knowingly log in via the insecure HTTP?
For the first problem, I did a bit of online research, and used cPanel’s file manager to update the two define statements related to SSL to false inside the wp-config.php, and I was then able to log in via HTTP and access the admin area. So that was a simple change.
For the second problem, I did some research on the available plugins that could do the trick. I finally settled on WordPress HTTPS plugin. I passed this one up at first, because it was last updated only in 2013, and I typically don’t want to use plugins that are no longer being updated. However, researched brought my attention back to this plugin. It has some good things going for it: very good rating distribution (overwhelmingly good ratings), high # of raters, high # of downloads, and recent reviews that say it even works for the latest WP 4.0 version, blog posts referencing this plugin regarding using shared SSL, and GitHub-hosted source code, and a relatively long history of updates, and finally it appears that this plugin does exactly what I want to do with my blog site – secure transfers for login and admin area without having to pay for an SSL certificate.
So I downloaded it from WordPress.org’s plugins directory, and manually updated to the plugins page, installed and activated the plugin on my site running on WP 3.5.1. Of course, I backed up my database before activating and changing the settings. A few things to note: if the site is installed under a subfolder, the subfolder is not necessary for the SSL host in the general settings – in fact, it deleted it after I did a save, and there is no trailing /, and I did not specify any port, and it still works.
The two options that I turned on is “Force SSL Administration” (this one will do a redirect if the initial URL is http to the login page or admin area) and “Force SSL Exclusively” (this one will allow front-end pages and posts to be served under HTTP unless they are specifically excluded using the post’s HTTPS meta settings (on the side bar); and I left the other sections “Domain Mapping” and “URL Filters” untouched. So far it works for me for the most part – securing the admin area and my logins.
However, I do notice a few minor problems that I can live with:
The visual editor shows up blank when trying to edit a post; I had to go to the TEXT/HTML view and edit there, or go back to Visual Editor;
Some tags appear in the visual editor;
Some editing tool buttons disappear from the top of the visual editor;
The secured URL uses the hosting company server name, not your registered primary domain;
The shared SSL is a self-signed certificate, so your browser will always complain, and you need to be able to review the certificate and add an exception for your browser.
Therefore, I don’t think it is a suitable solution for a secure site for the general public or many users. But for a site that is used by one or a few developers or sophisticated users, it is a good money-saving solution.
So far I don’t mind those minor issues which do not prevent me from creating new and editing existing posts and pages. I have not found any other issues more serious. So until then, I will stick with the plugin and use it for security for myself.
I installed the Uber app before, and tried to register an account and stopped half way in that process, because it asked me for my credit card information. As much as I wanted to try Uber, I did not want to give out the critical information just like that.
That’s until when my car battery quit in the Walmart parking lot, on the same I planned to buy a new battery at Canadian Tire and replace it, right after the Walmart visit. You know what, as if the battery knew my plans and got upset, and decided to pre-empt me right there in the parking lot. I tried to buy the battery from Walmart’s auto department and get it installed, but the automotive shop was closed, and they don’t have tools rental or a battery booster. That left me with no choice but to call a cab. Wait, there is another choice, and I decided to give Uber a try to see if it works. I finally gave up my credit card info to Uber. And from that point on, the request for a ride share was simple, and the wait was beyond my expectations, because it was only minutes, and I could see where exactly the car was and how many minutes it was to my location. And because I also knew the make of the car, when the car pulled up, I already knew it was it. The driver turned out to be nice too, although the air refreshener was a bit too strong. But that was OK. The drive was uneventful. I had to double-back to retrieve the home key (lucky we did not get too far away yet, before I remembered), got home, got the battery booster, returned to the Walmart parking lot. And the whole around trip was $19 something, very reasonable. And there was no cash that changed hand – everything is taken care of electronically through Uber and there is the reason why they needed the credit card.
After that I boosted the car, drove to Canadian Tire, bought a replacement battery, got home, watched a couple of Youtube DIY videos, and got out the tools and replaced the battery on my drive way. The replacement job took about 30 minutes, simple enough. And I returned the old battery on the same day and got the $20 dollar back.
Good job, Uber!
We just implemented SSO integration between WordPress and PingIdentity successfully.
What we learnt is that the “simpleSAMLphp Authentication” plugin (0.7.0) is too complicated to implement, as it has addtional 3rd party application to install and configure, and apache server has to configured to work with it, in addition to the plugin itself. Way too complicated. We tried, but gave up, and then tried a second option – “OneLogin SAML SSO” (2.1.2) which worked much simpler out of the gate. It has a settings page that has all the configurations in one place, and there is nothing else to install.
It’s between a WordPress 4.0 site in VPS hosting and a private cloud PingIdentity Idp.
I had to swerve to avoid being hit, and doing that at 100km/hour could cause my car to lose control. But luckily I avoid it.http://www.pengzhang.ca/blog/wp-content/uploads/2014/08/near-collision-on-401.mp4
The other guy made these mistakes:
- did not check blindspot before changing lane;
- did not signal, or did not signal long enough before changing lane;
- stepping on the brake for no apparent reason;
- driving slowly on the passing lane;