Force http/https conflict with iThemes Security 'Hide-backend'

Hi

I updated to v4.4.0.7 of Domain mapping and notice that there is a conflict with iThemes Security 'Hide-backend' feature when Force http/https feature of Domain mapping is used.

https://wordpress.org/plugins/better-wp-security/

Previously with Domain mapping v4.1.4.2 I utilize iThemes Security 'Hide-backend' feature with login & admin SSL enabled via the wp-config file to provide a secure and easy to remember login url (e.g. https://site1.example.com/login)

The Hide-backend adds the following to .httaccess.

# BEGIN Hide Backend
			# Rules to hide the dashboard
			RewriteRule ^(/)?login/?$ /wp-login.php [QSA,L]

However as of v4.4.0.7 of Domain mapping I can no longer enable SSL via the wp-config file as this causes too many redirects see: https://premium.wpmudev.org/forums/topic/sub-sites-login-generates-err_too_many_redirects-v4407#post-894455

The problem I'm now experiencing is once Force http/https is enabled the login page on sub-sites are not severed via SSL (e.g. http://site1.example.com/login) and attempting to login generates a 404.

Is the domain mapping plugin hard coded to use or apply SSL to the wp-login.php or wp-admin.php files?

iThemes Security 'Hide-backend' uses Custom Action can domain mapping plugin work with this?

Custom Action: WordPress uses the "action" variable to handle many login and logout functions. By default this plugin can handle the normal ones but some Apps and themes may utilize a custom action (such as logging out of a private post). If you need a custom action please enter it here.

  • Jude

    Hi there @northgate

    Is the domain mapping plugin hard coded to use or apply SSL to the wp-login.php or wp-admin.php files?

    This file seems to suggest this is the case

    wp-content/plugins/domain-mapping/classes/class.domainmap.php

    On line ~153 in the latest version. A workaround for this would be is turn off Force SSL in the plugin and force the SSL via your .htaccess.

    Otherwise you may need to forgo the hide Backend feature.

    Hope that helps
    Jude

  • northgate

    Hi

    Thanks for replying I have temporally disabled Force http/https feature however I would need a more permanent solution as providing login and admin via SSL for security reasons is a high priority.

    Otherwise you may need to forgo the hide Backend feature.

    Currently this is not possible as all customers are already a custom with the easy to remember login URL (/login) and most already have it bookmarked.

    force the SSL via your .htaccess

    Can you please let me know how this can be done on only the login and admin of the original domain for sub-sites (e.g. site1.example.com)?

    Can the developer please look into a possible solution for not hard coding the use of the wp-login.php or wp-admin.php files?

    Also with Force http/https enabled or disabled the logout from the network, main site and all sub-sites no longer work properly an issue which previously did not exist in past versions of domain mapping.

    Additionally Login Security Solution plugin is also affected

    • wp.network
      RewriteCond %{REQUEST_URI} !^/wp-admin/
      RewriteCond %{HTTPS} on
      RewriteCond %{HTTP_HOST} (.*)
      RewriteRule ^/(.*) http://%1/$1 [L,R,QSA]

      This doesn't make sense to me... if I'm reading the thread correctly, the advice was to disable the DM feature and to instead use .htaccess to enforce https for login and admin of original network URLs... The above .htaccess does not do this.

      If I wanted to use .htaccess to enforce HTTPS only for login and admin URLs of original network, I would use something like:

      RewriteCond %{REQUEST_URI} ^/wp-(admin|login) [NC]
      RewriteCond %{HTTPS} !=on
      RewriteCond %{HTTP_HOST} example\.com$ [NC]
      RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R,QSA]

      Please let me know if I've misread the thread and I'll be happy to alter the code =)

      Cheers, Max

      • wp.network

        um, so... I guess I may have made a mistake in my code... stuff happens, eh? (and being in a rush all the time doesn't help any!)

        if the goal is to force the requests for login and admin at original network address (example.com) to use https then the code above should be changed to:

        RewriteCond %{REQUEST_URI} ^/wp-(admin|login) [NC]
        RewriteCond %{HTTPS} !=on
        RewriteCond %{HTTP_HOST} example\.com$ [NC]
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R,QSA]

        You might want to set the R to = 301 depending on your situation/goals... hope this helps =)

        Cheers, Max

  • Michelle Shull

    Hi there, northgate!

    Try Max's solution above. That's not editing a core WP file, your .htaccess file is separate from WP core, so it's never overwritten in an update. While you don't need it here, your wp-config file also stays as is when you update, so it's also safe to modify if necessary.

    I agree with Max's code and Jude's suggestion, using .htaccess here makes more sense than using a plugin, it's only a few lines to do what you want, no need for the extra resources of this feature in Domain Mapping, especially if it's not working with your current set up.

    Our developers don't typically have the luxury of testing with every plugin from other developers, or promising our plugins will 100% work with plugins we didn't develop or actively work with (like BuddyPress.) A solution from our dev may be down the road, so using .htaccess here will be your strongest bet to get this working ASAP.

    Thanks so much!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.