CloudFlare and Securing WordPress Admin
I’ve recently been using CloudFlare on this blog for performance, security, and bandwidth and spam comment reduction. I also recently made the switch to Linode so I now have full control of my server. I wanted to secure my WordPress admin login page but since I use the free version of CloudFlare, I had to put SSL on a subdomain.
Secured Subdomain with Mangled Webpages
Once I had setup the secure subdomain, I noticed that none of the pages loaded correctly; just text. I later figured out that the reason is because WordPress 3.0 rewrites all urls to https when viewed under https. That meant that it was trying to request https URLs for things like CSS, images, etc from CloudFlare and not the subdomain. I tried all types of mod_rewrite combinations to no avail.
The Solution
The solution is really simple. All you need to do is install the WordPress HTTPS Plugin and configure the following settings:
- SSL Host: secure.yoursite.com
- Check Force SSL Administration
With the recent update of the plugin to version 2.0, you need to actually edit the plugin because it does not rewrite the wp-login.php page.
Change this:
// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
add_filter('site_url', array(&$this, 'replace_http_url'));
}
To this:
// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
add_filter('site_url', array(&$this, 'replace_http_url'));
add_filter('admin_url', array(&$this, 'replace_http_url'));
}
Feel free to post a comment if you have an questions!
Hi Dustin, thanks for sharing your experience. I’m exactly in the same situation, I want to access wp-admin over ssl with the free version of CloudFlare using the https://direct. subdomain.
I have follow your solution exactly as described, but it’s not working for me, when I try to login it makes a redirection to wp-admin and another to wp-login.php again but is not entering in the admin area.
Do you have any clue or suggestion?
Thanks in advance.
Hey sorry to here it’s not working – have you set up your https redirect in your .htaccess or Apache site config? When you reach the wp-login.php page, what is the redirect_to= parameter? It should look like this: redirect_to=https%3A%2F%2Fsecure.yoursite.com%2Fwp-admin%2F
Pingback: Site With The Lamp » Cloudflare and Wordpress Admin
i have the same issue as #1 comment…
did someone solve the issue?
It says invalid installation at https://secure.mysitename.com even though I have made a new CNAME record for secure with the record mysitename.com
Also, how did you get wp-admin and wp-login ssl secure if you were using a sub-domain secure.mysitename.com?
Hi Joey, you need to setup a new virtualhost for your secure domain before you configure the plugin.
Great tip. Was wondering what you do after setting up new virtual host? Thanks for the clarification.
James, you generate your SSL certificate. A self-signed cert is free and fine for personal use. Depending on your setup, you may need to open port 443 on your firewall. Then you configure the plugin as detailed in the post. That’s all.