WordPress Security Tips Part 7 – Enabling HTTPS for all logins and wp-admin

Strictly speaking, HTTPS is not a protocol in and of itself, but it is rather HTTP encapsulated in TLS/SSL. TLS, or SSL, as it is commonly referred to, provides websites and web applications with encryption of data being transmitted and authentication to verify the identity of a host.

HTTPS is usually synonymous with shopping carts and Internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa.

TLS/SSL may significantly consume server resources depending on the site’s traffic. Consequently, for most sites it is not required to serve the entire site using HTTPS. WordPress’s login form and admin area, on the other hand, are probably the most sensitive areas of a WordPress site. It is therefore strongly advised that TLS/SSL is not only implemented, but enforced in such areas.

WordPress provides an easy way to enforce TLS/SSL on both wp-login and wp-admin pages. This is achieved by defining two constants in your site’s wp-config.php file.

Note - You must already have TLS/SSL configured and working on the server before your site will work properly with these constants set to true.

To ensure that login credentials are encrypted during transit to the web server, define the following constant in wp-config.php.

define('FORCE_SSL_LOGIN', true);

To ensure that sensitive data in transit (such as session cookies) is encrypted when using the WordPress administration panel, define the following constant in wp-config.php.

>define('FORCE_SSL_ADMIN', true);

Part 8 in the Series on WordPress Security will discuss: Restricting Direct Access to Plugin and Theme PHP files
Read the previous article in the series about WordPress Security – Disable File Editing

Share this post

Leave a Reply

Your email address will not be published.