CloudFlare and Securing WordPress Admin


I’ve recently been using CloudFlare on this blog for performance, security, and bandwidth and spam comment reduction. I also recently made the switch to Linode so I now have full control of my server. I wanted to secure my WordPress admin login page but since I use the free version of CloudFlare, I had to put SSL on a subdomain.

Secured Subdomain with Mangled Webpages

Once I had setup the secure subdomain, I noticed that none of the pages loaded correctly; just text. I later figured out that the reason is because WordPress 3.0 rewrites all urls to https when viewed under https. That meant that it was trying to request https URLs for things like CSS, images, etc from CloudFlare and not the subdomain. I tried all types of mod_rewrite combinations to no avail.

The Solution

The solution is really simple. All you need to do is install the WordPress HTTPS Plugin and configure the following settings:

  • SSL Host: secure.yoursite.com
  • Check Force SSL Administration

With the recent update of the plugin to version 2.0, you need to actually edit the plugin because it does not rewrite the wp-login.php page.

Change this:

// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
	add_filter('site_url', array(&$this, 'replace_http_url'));
}

To this:

// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
	add_filter('site_url', array(&$this, 'replace_http_url'));
	add_filter('admin_url', array(&$this, 'replace_http_url'));
}

Feel free to post a comment if you have an questions!