New feature request – https admin access

Home Forums BulletProof Security Free New feature request – https admin access

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #8203
    silas88
    Participant

    I am on a shared server and so far have had no success in getting admin access only via https. There is a shared cert available for use but thedomain URL needs to be specified slightly different.

    I have tried modifying wp-config and I have tried using the plugin WordPress HTTPS without success (and from reading some of he reviews I am not sure it works on 3.6). According to the IMHO unclear wp codex article http://codex.wordpress.org/Administration_Over_SSL httaccess needs to include appropriate rewrite rules and quotes this.

    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^/?(wp-admin/|wp-login\.php) https://mysite.com%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]

    I think part of the problem I at least face is knowing when to use  my site domain address (without https) and when to use the account https address specificying the directory server.mywebhost.com/~username. Anyway if you have any thoughts about adding this kind of functionality to BPS I think many users would find it very useful.

    #8208
    AITpro Admin
    Keymaster

    We are planning to look into adding SSL options, but the primary concern that we have is that most folks will not understand/know that they have to have purchased an SSL certificate before true SSL will work.  It is possible to create pseudo SSL, but it does not really provide any additional security protection anyway.  This is still being researched further.  Thanks for posting this feature request.

    If you already have purchased or have a valid SSL certificate then see this Forum Topic link below for the .htaccess code to add to your root .htacces file.

    http://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/

    #8217
    silas88
    Participant

    Well fortunately I know the difference, but I also know that the good ones cost $$ so I at the moment I only want https to secure my admin password and admin updates, all of which I thought I could do with a shared cert.

    I think I have it kind of working 😉 The login screen is via https, but then I get a warning from FF that the password will be passed insecurely! When I am then logged in as admin the url is the standard domain http address and all the admin section is http which is not what I want.

    The link your provided above and the links on that page will keep me busy for a while! They look very useful. I am thinking of modifying the code your provided with a RewriteCond so that only the admin section is rewritten to the https address.

    If you do provide SSLl functioniality I think it’s important to somehow address several of the different use cases e.g. own SSL cert +SSL for whole site, own SSL cert +SSL for part(s) of site, shared SSLcert situations, proxy servers, CDN’s, etc.

    #8218
    AITpro Admin
    Keymaster

    Yep, that is exactly why this has been on hold for over a year.  Until we have the extra time to support this we will not add it.  😉

    If you do provide SSLl functioniality I think it’s important to somehow address several of the different use cases e.g. own SSL cert +SSL for whole site, own SSL cert +SSL for part(s) of site, shared SSLcert situations, proxy servers, CDN’s, etc.”

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.