The very popular blogging platform WordPress has gotten better at security over the years but could still use some improvements on how it protects your passwords as they float across the Internet. Chances are your WordPress blog isn’t taking advantage of your server’s SSL certificate (private or shared – most hosting plans provide you with one).
Note: There are several plugins that can do this for you, most notably Admin SSL, but it doesn’t play nice with blog accelerator WP Super Cache.
Check If You Have A Certificate Available
By adding one line of code to your WordPress config file you can force your blog to use the de facto Web-standard Secured Sockets Layer (SSL) encryption.
- First of all check to see if your blog has an SSL certificate available to it, which is necessary for this to work. An easy way to do this is to add an “S” to your blog’s URL (e.g. httpS://techguidefortravel.com/)
You’ll probably get a warning about the certificate not being trusted which is pretty normal considering your browser doesn’t know your site from a hole in the wall. Trust the certificate permanently to avoid any similar warnings down the line. If the page doesn’t load or you get some kind of error, contact your hosting company and ask them how to enable an SSL certificate for your site; then try again.
Add This Line Of Code To Encrypt Passwords
Open up your config.php file, which is in the root directory of your WordPress blog.
Copy and paste this line courtesy WordPress.org:
define(‘FORCE_SSL_LOGIN’, true);
adding it above the “That’s all, stop editing! Happy blogging.” line of the config file.
To beef up security even further and protect all of your admin connections, add this line (as opposed to the above):
define(‘FORCE_SSL_ADMIN’, true);
In case things don’t work, the easy way to undo what you did is to remove the line of code. Assuming things go smoothly though, you’re done – now your WordPress blog’s passwords and cookies are encrypted, better protecting your log in credentials. To secure most of your other Internet connections try the HTTPS Everywhere Firefox add-on.
[photos by: -12C (padlock)]
{ 4 comments… read them below or add one }
Thanks for sharing the step by step info!
Anytime!
Hi, Thanks for the tip, i’d like to try that.
I checked if i have SSL, and apparently i do, but not sure if there’s anything more i should do : after i accept past the security warning i don’t get to my website, i get to my hosts’ page which says “If you can see this page, then the people who manage this server have installed cPanel and WebHost Manager (WHM) which use the Apache Web server software and the Apache Interface to OpenSSL (mod_ssl) successfully. They now have to add content to this directory and replace this placeholder page, or else point the server at their real content.”.
Do i have to find a special SSL directory and transfer all my website there ?!
Sorry to be such a beginner, but i’m hoping you can help me sort this out before i risk breaking my site with changing the config 🙂
Thanks a lot.
You won’t have to transfer anything actually, you just need your host to set up the SSL certificate for you if they provide that service. Shoot them an email and chances are they’ll be able to enable it as part of your service, then check again that you can get to the HTTPS version of your site. If so, then go ahead with the line of code above.
Hope this helps but let me know if you have any other questions 🙂