Make WordPress Core

Opened 14 years ago

Closed 12 years ago

Last modified 12 years ago

#18680 closed enhancement (worksforme)

Make SSL login-only possible (while leaving admin unencrypted)

Reported by: multimule's profile multimule Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: General Keywords:
Focuses: Cc:

Description (last modified by nacin)

There are two options to be set in wp-config.php to enforce secure connections.

With the following configuration, the login AND the backend will be done via SSL:

define( 'FORCE_SSL_ADMIN', false ); // or true
define( 'FORCE_SSL_LOGIN', true );  // or false

As those are 'FORCE' parameters, one might consider it correct that, even though one is set to 'false', both will be via HTTPS.

However, WordPress is currently missing an option to have ONLY the login data sent encrypted and go on to the admin interface via a normal (non-encrypted) connection. That scenario requires additional redirections on the webserver.

Change History (6)

#1 in reply to: ↑ description @multimule
14 years ago

The two defines got screwed up by trac:

define( 'FORCE_SSL_ADMIN', false );

define( 'FORCE_SSL_LOGIN', true );

#2 @johnbillion
14 years ago

  • Cc johnbillion@… added

#3 @nacin
14 years ago

  • Description modified (diff)

#4 @nacin
14 years ago

  • Keywords reporter-feedback added

However, WordPress is currently missing an option to have ONLY the login data sent encrypted and go on to the admin interface via a normal (non-encrypted) connection.

I can't reproduce this. FORCE_SSL_LOGIN (set to true) controls the login data. FORCE_SSL_ADMIN controls the admin.

FORCE_SSL_ADMIN implies FORCE_SSL_LOGIN (if you lock down the admin, you lock down login data) but the reverse isn't true. FORCE_SSL_LOGIN does not make the admin https.

#5 @iseulde
12 years ago

  • Keywords reporter-feedback removed
  • Resolution set to worksforme
  • Status changed from new to closed

No feedback after two years.

#6 @helen
12 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.