First off, this can be done, but without some minor issues. And this solution is probably more fit for those who are techy and understand the Internet. It would be more trouble for support if the solution is handed over to a client who does not have much basic internet knowledge.

With that out of the way, I was looking for a solution so that when I log into my site’s admin area, I can be sure that my username and password are encrypted, and after logging, my authenticated cookie for the admin area would be sent securely via HTTPS. Plus, I want the front-end traffic to still use the unencrypted HTTP protocol for any public posts and pages. I wanted this because my SSL certificate has expired, and I did not update my payment information for it to be renewed, so they took the SSL away from my site.

I faced two issues 1) I could not get to my site’s admin area because the login enforces SSL (automatically redirects from http to https for the login page), and the SSL was not working; 2) when I could disable the forcing of SSL for login and admin area, do I want to knowingly log in via the insecure HTTP?

For the first problem, I did a bit of online research, and used cPanel’s file manager to update the two define statements related to SSL to false inside the wp-config.php, and I was then able to log in via HTTP and access the admin area. So that was a simple change.

For the second problem, I did some research on the available plugins that could do the trick. I finally settled on WordPress HTTPS plugin. I passed this one up at first, because it was last updated only in 2013, and I typically don’t want to use plugins that are no longer being updated. However, researched brought my attention back to this plugin. It has some good things going for it: very good rating distribution (overwhelmingly good ratings), high # of raters, high # of downloads, and recent reviews that say it even works for the latest WP 4.0 version, blog posts referencing this plugin regarding using shared SSL, and GitHub-hosted source code, and a relatively long history of updates, and finally it appears that this plugin does exactly what I want to do with my blog site – secure transfers for login and admin area without having to pay for an SSL certificate.

So I downloaded it from WordPress.org’s plugins directory, and manually updated to the plugins page, installed and activated the plugin on my site running on WP 3.5.1. Of course, I backed up my database before activating and changing the settings. A few things to note: if the site is installed under a subfolder, the subfolder is not necessary for the SSL host in the general settings – in fact, it deleted it after I did a save, and there is no trailing /, and I did not specify any port, and it still works.

The two options that I turned on is “Force SSL Administration” (this one will do a redirect if the initial URL is http to the login page or admin area) and “Force SSL Exclusively” (this one will allow front-end pages and posts to be served under HTTP unless they are specifically excluded using the post’s HTTPS meta settings (on the side bar); and I left the other sections “Domain Mapping” and “URL Filters” untouched. So far it works for me for the most part – securing the admin area and my logins.

However, I do notice a few minor problems that I can live with:
The visual editor shows up blank when trying to edit a post; I had to go to the TEXT/HTML view and edit there, or go back to Visual Editor;
Some tags appear in the visual editor;
Some editing tool buttons disappear from the top of the visual editor;
The secured URL uses the hosting company server name, not your registered primary domain;
The shared SSL is a self-signed certificate, so your browser will always complain, and you need to be able to review the certificate and add an exception for your browser.

Therefore, I don’t think it is a suitable solution for a secure site for the general public or many users. But for a site that is used by one or a few developers or sophisticated users, it is a good money-saving solution.

So far I don’t mind those minor issues which do not prevent me from creating new and editing existing posts and pages. I have not found any other issues more serious. So until then, I will stick with the plugin and use it for security for myself.

  • Digg
  • del.icio.us
  • StumbleUpon
  • Sphinn
  • Facebook
  • Mixx
  • Google Bookmarks
  • Haohao
  • LinkedIn
  • Live
  • MyShare
  • MySpace
  • Reddit
  • Technorati
  • TwitThis

Related posts:

  1. Hosting Can Make a Whole Lot of Diference to WordPress Blog Security
  2. IE Security Warning Caused by Firebug Lite
  3. Nonsecure Content Alert in IE

Tags: , , ,

Comments are closed.