WordPress SSL and a free alternative for secure WordPress logins

wp-admin Secure wp-loginWe can agree that publicizing your wp-admin login credentials for all to see is a bad idea, right? Dumb question? Well, if you’re not logging into your WordPress Dashboard via HTTPS (or option #2, below), that’s exactly what you’re doing. Hackers can spoof your login form, “listen” to the site activity, or your coffee house neighbor could be using Firesheep on you. In case you didn’t know, bad people suck.

If someone snags your login credentials, they could wreak havoc that can make you cry. It’s scarier than just losing all your files. They might change your site content from family-friendly to R-rated, get your Dropbox or Amazon S3 credentials, install some nasty stuff, or change your account password and profile email to lock you out (your password reset link would email them, not you).

Just thinking about all that bad stuff happening to my blog gives me the creeps. Here are 2 options for securely logging into your WordPress Dashboard, creep-free:

Featured Plugin - WordPress Facebook Plugin

Would you like to add Facebook comments, registration, 'Like' buttons and autoposting to your WP site? Well, The Ultimate Facebook plugin has got that all covered!
Find out more

#1 – Set up WordPress SSL / HTTPS

What’s Needed? An SSL certificate, annual cost ranging from $10 to $50+

Level of Difficulty: Easy to Moderate, depending on your hosting setup and tech support, if needed

Time Requirement: Up to an hour, possibly over the course of a day or two, depending on your hosting setup

Step-by-Step:

  1. Buy a domain name and an SSL certificate
  2. Make sure you have a working email address at your domain (e.g. webmaster@), or make sure your WHOIS records display your desired SSL certificate email address (e.g. a GMail address).
  3. Install WordPress at your desired location. Options include: at the domain root (e.g. example.com), a subdomain (e.g. site.example.com), or a subdirectory (e.g. example.com/website/)
  4. From your web host control panel (or via a support ticket to your tech support), generate a Certificate Signing Request (CSR) with your company or personal information (e.g. organization name, location, and email address). This cannot be fake information and will not be kept private from your website visitors.
    1. If you install WordPress at the domain’s root folder or a subdirectory, issue the SSL certificate to your domain (e.g. www.example.com, even if you’re not serving the page with www).
    2. If you install at a subdomain, you’ll have to issue the SSL certificate to the subdomain, not the root domain.
  5. Once you generate your CSR, install it on your server (or have your tech support do it).
  6. Once enabled, test it by visiting a page on your WordPress installation via HTTPS instead of HTTP. You may also want to test your SSL certificate is installed properly by running the Qualys SSL Server Test.
  7. Familiarize yourself with the WordPress Codex “Administration Over SSL” page. It’s not explicitly stated in the Codex, but FORCE_SSL_ADMIN is inclusive of FORCE_SSL_LOGIN so you don’t need both set to ‘true’, just one or the other.
  8. Clear your browser cookies, browser cache, and website cache.
  9. Visit your login page and make sure the page is forced to HTTPS in the browser bar if you set FORCE_SSL_ADMIN to ‘true’. Or view the page’s source and search for “wp-login.php” and see if it’s served via HTTPS even if the browser bar shows HTTP.
  10. Pat yourself on the back for successfully setting up SSL for WordPress.

Featured Plugin - WordPress Pop-Up Chat Plugin

No javascript required, no third part chat engine, just fully featured chat right in your own database on your own WP sites - couldn't be easier.
Find out more

#2 – Use the free “WP Engine MixBoardPortalPanelPress”

WP Engine Portal, a partial WordPress SSL alternative
What’s Needed? A Facebook or Twitter account (one or the other)

Level of Difficulty: Easy

Time Requirement: 5-10 minutes

Step-by-Step:

  1. Visit https://portal.wpengine.com/
  2. Sign in with your Facebook or Twitter account, whichever is more convenient for you.
  3. Install and Activate the Agent WP Engine plugin on your WordPress
  4. Copy your portal.wpengine.com Account ID and API Token credentials into the plugin’s settings page (located at wp-admin/index.php?page=wpe-agent ).
  5. Refresh the portal.wpengine.com page to see your blog show up, with a link to securely login to your WordPress Dashboard (whether or not your site has an SSL certificate)
  6. Give your buddy a virtual high-five on Facebook or Twitter, since you’re already logged in.

Comparing the Pros and Cons

WP Engine’s MixBoardPortalPanelPress (hey, I didn’t name it) is quick and easy to setup and has some additional site tools like a malware report, site performance report, and quick access to WHOIS records. However, it doesn’t provide your site with an actual SSL certificate, which is definitely needed if you want to receive or display sensitive information on your site.

An SSL certificate with proper wp-config.php settings ensures all logins will be HTTPS, not just when clicking from portal.wpengine.com. However, you’ll need separate SSL certificates for each domain and subdomain (unless you buy a wildcard SSL Certificate, which is more expensive).

Break Your Bad Habit in 30 Days

Say it with me,

“I will not log into my WordPress website insecurely for the next 30 days. I promise.”

 

Featured Plugin - WordPress Wiki Plugin

To get a wiki up and running you used to need to install Mediawiki and toil away for days configuring it... not any more! This plugin gives you *all* the functionality you want from a wiki, in WordPress!!!
Find out more

Image Credits: Padlock image from Flickr and screen shot from portal.wpengine.com

Comments (12)

  1. Nice article Clifford.
    I am about starting a small-scale ecommerce site, and I deduce from your writing you would not advice using the second method on a WP eCommerce website. Kindly let me know if I’m wrong.
    Regards

    • Thank you, Tomas. If you will be collecting sensitive information (anything of value to hackers) like credit card numbers, contact information, government ID numbers, etc., then you NEED to have an SSL certificate. If you pass payment handling to PayPal’s website and use secured (HTTPS) forms from a form provider like JotForm, you might be able to get away with not having your own SSL, but it’s not the recommended setup, particularly because your browser address bar won’t be HTTPS or have a padlock icon, which is what consumers are trained to look for. To be clear, the embedded form might be HTTPS and secure, but you wouldn’t know that without viewing the page’s source code. So user experience – having HTTPS in the address bar – is an important consideration. Long story short, get an SSL certificate if you are doing eCommerce. FYI: you can use the WP Engine Portal even if you have an SSL certificate. Let me know if you have any other questions.

  2. Great post… didn’t know about the WPEngine MixBoardWhatever… will give it a whirl…

    Some hosting companies, like Bluehost for instance, also provide shared SSL certificates, so you don’t even have to fork out money for that…

    In my free WordPress Security Checklist (http://www.wpsecuritychecklist.com) I also mention another poor mans option to improve your login security: the plugin Semisecure Login Reimagined (http://wordpress.org/extend/plugins/semisecure-login-reimagined/). It will encrypt your login details before they’re sent over the line…

    Just my two cents :-)

    • Have you had a chance to test it out yet? The only part about it that I don’t like is that only 1 user per WP install can use it. This is because you have to use the plugin’s settings to tell the MixBoard Panel which user to sign in as.

      Regarding shared SSL, I don’t think it’s worth the hassle or potentially creating visitor concerns because of having an SSL cert that’s issued to someone else’s name, especially when you can get SSL certs for $10+.

      Regarding the plugin you mentioned, yes, there are a few like that. The one you mentioned states in bold text, “Please note that I’ve moved away from WordPress for the time being. I have no plans to continue updating my plugins. If someone was thinking of forking this project, now would be the time.” and hasn’t been updated since March 11, 2011. I’m guessing it still works as of now, but having that one or another one is definitely better than sending login details in plain text.

  3. Thank you for shedding some light on this subject.

    Yes, ecommerce sites should have SSL.

    Any ecommerce site wanting to preserve their domain name as part of the branding, should have their own SSL (not shared).

    The problem with ecommerce sites on Bluehost is the throttling. Sales can be lost, and the customer might not know it. http://www.dynamicnet.net/2012/04/cheap-hosting-limits-growth-site/ was written to go over such issues.

    Thank you.

  4. If you step outside the paypals and stripes of the ecommerce industry to a full fledged merchant, most will require you to have PCI compliance, which in turn requires an SSL certificate. Some require heavier standards of SSL which can get more expensive and just slightly harder to implement, but your hosting company which resells the SSL will help with that.

    • You are correct. SSL certs with extra features (like Extended Validation that turns the browser bar green) can cost hundreds of dollars, even over $1,000. They’re harder to qualify/apply for, requiring more paperwork and additional validation like phone calls, ID cards, etc.

Participate