WordPress SSL Administration

If you’re a WordPress blogger who finds themselves out and about while blogging, you may benefit from the addition of secure/encrypted SSL logins and administration of your blog.

Lets say you are in a hotel for the night after a conference and you want to post an update on the days proceedings for your readers. The delightful 5-star hotel you booked yourself into has thoughfully provided free WiFi internet access in the rooms and your laptop can see the access point and has connected. Well, this is great but consider what that connection actually is for a moment.

The chances are that the connection used no authentication and is entirely unencrypted. Any data you send or recieve over the connection goes in the clear; including your WP login and password. Remember that wireless internet is a radio connection. Anyone with ill deeds on their mind a ‘radio’ of their own (ie: a wireless laptop) can record your data transmission and pick through it at will. They probably wont even have to spend much time or effort at it; I am lead to believe there are tools which specifically search packet streams for login credentials.

The hotel may have provided you with an authenticated WiFi link or even a Cat5 drop in the room but this may still cause issues. Can you trust the hotel’s own network? On at least one occasion when connecting to a wired connection in a hotel, I have discovered myself to be on a LAN consisting of all the other guests.

What you need is encryption.

If you establish and maintain an SSL connection with your blog’s webserver, the risks of digital eavesdropping are negated. If your server/host already has SSL installed, reconfiguring WordPress to work with it is pretty trivial. You can ask your host to install SSL and assuming you’re not on a shared host, this shouldn’t be a problem. You don’t even have to buy a certificate as you can sign your own. Self-signed certificates do have a drawback in that they cause an initial error message in the browser until you import the certificate. You should ensure that you import your self-signed certs over a trusted network.

To get WordPress (2.6+) configured for SSL, open your wp-config.php file and add the lines:

/** Force SSL login and administration */
define('FORCE_SSL_ADMIN', true);

…and save the file back on the webserver.

This forces the login window to go straight to an SSL connection and maintains the admin interface in one too. All data passed between your client machine and the admin interface, including your login credentials will be encrypted.

Have fun & be safe 😉