I’ve been running my wp-admin page over SSL for a while now, having purchased a signed SSL certificate through my web hosting provider. I recently installed the WordPress HTTPS plugin but was experiencing issues with forcing SSL on the admin pages and forcing non-SSL through everything else.
The issue was with the plugin’s option to Force SSL Exclusively. The option forces everything that isn’t specifically secured via WordPress’s Force SSL (which makes wp-admin & wp-login available only over SSL) or HTTP filters that to be served over HTTP only. This means that any post or child post that doesn’t have the Secure Post option checked (available on the post’s edit page) will only be served over HTTP. This works great…until you try to customize your theme via wp-admin’s Appearance -> Customize page. This page will load your blog’s homepage within a frame, and since your homepage isn’t being forced over SSL (because Force SSL Exclusively is set), either your browser will display a warning about insecure content being served over a secure connection, or the theme customize page will blank instead of displaying your homepage.
I tried a number of different ways to fix this. The first one was to create an HTTP filter in the plugin’s setting page to redirect http://damiankarlson.com to https://damiankarlson.com. This ended up having adverse consequences, as I received a number of WordPress errors after doing so. My next attempt was to change my WordPress URL in Settings -> General to https://damiankarlson. This also didn’t work, as I was still experiencing the blank page in Appearance -> Customize.
My final attempt was to try the .htaccess route, since my site is hosted on a Linux server, and mod_rewrite is enabled. The Apache wiki lists two ways to do this. The first way uses a RewriteRule within .htaccess. The second way, which is recommended, is to use a Redirect directive within VirtualHosts. Typically, one VirtualHost exists for requests over port 80 (non-SSL), and the other over port 443 (SSL). However, my web hosting company doesn’t allow VirtualHost directives within my .htaccess file, so I had to use the RewriteRule.
[code]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# forcing SSL
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>
[/code]
Aaron Studer says
Hi Damian
Do you use CloudFlare at all?
I am trying to get Flexible SSl working with WordPress, but I think I am going to just buy a SSL certificate.
Thanks for your post!
Aaron
Damian Karlson says
No, no CloudFlare, just a signed cert that I purchased through my hosting provider.