How to 100% SSL WordPress?

I'd like to be able to offer my clients, lawyers and accountants
a blogging and client management system based on WordPress
that they can trust with sensitive legal and financial information.

Starting with SSL...

Is there a way to make to make wordpress both public facing
and backend admin SSL secured?

By public facing, meaning clients would have access to a
password protected area (powered by wishlist) to interface
with the lawyer to accountant.

That's the start of the idea... please add to how to make it
real. I've already got the SSL lock down for the wp-login
form using my .htaccess file, now need to secure the rest.

Thank you.

  • Tracy
    • The Incredible Code Injector

    You may also want to look at the wp https plugin since some parts of admin pages will not be pulling from https sources. The plugin does a pretty good job of fixing this so IE users don't keep getting insecure https warnings ....

  • xInd
    • Site Builder, Child of Zeus

    Thanks for the tips and links. I need to do this as well, but I need to take it through multi-network and many different domains so I think no matter how I slice it I better go get a server side wildcard ssl.

  • xInd
    • Site Builder, Child of Zeus

    Thanks for the tips and links. I need to do this as well, but I need to take it through multi-network and many different domains so I think no matter how I slice it I better go get a server side wildcard ssl.

  • Lifebrightener
    • Design Lord, Child of Thor

    Hi gang,

    I just saw a huge opportunity here if we can nail this down to a science. HEALTHCARE!

    If we can reassure the medical community that we can satisfy the HIPAA guidelines, we can cash in on the fast growing U.S. health care industry. See: http://www.tripwire.com/asset/?type=wp&cat=HIPAA&id=2040&djinn=PPCNA-HIPAAGEN20100830&gclid=CIC6ppn5iqcCFdtx5QodeHN9fQ

    Actually, any developer who created HIPAA PlugASafeIn app that bolted down security for WP for this market will reap both fame and fortune.

    Damn it, I wish I could program like I used to.

  • kshengelia
    • The Incredible Code Injector

    Hello,

    It's bit old thread but it doesn't matter I think.

    I have 3 questions (/problems) here:

    1) SSL certificating - As I have said above, I am going to run 3 (Maybe more in future) WP Multisites and I am going to secure each of them with SSL wildcard certificates.
    I have basic questions here - what should I take into account about SSL certificating, what should I be aware of and etc.

    2) Domain Mapping and SSL certificates. - I have read some topics here and developer of Domain Mapping plugin have said that Domain Mapping doesn't support SSL certificate. At first, I was bit disappointed about that, then I remind that WordPress.com blogs were secured with SSL, so I have found one "domain-attached" blog and went to it's "/wp-login.php" and it redirected to what I thought - subdomain/wp-login.php. So I think there should be no problem for us too. What do you think?

    3) SSL Certificates - Which wildcard should I choose? For example, is it OK to choose "True BusinessID Wildcard"?

    Thanks,

    Kote

  • paperweight
    • The Incredible Code Injector

    I just added @targetd code above and it seems to work fine in the htaccess to form SSL. However, my WP Super Cache is now throwing up old cache files on odd URLs... anyone have a suggestion for enabling both a cache and *full* SSL protection over the entire WP installation?

  • Damian
    • Design Lord, Child of Thor

    I am using SSL on my website sitewide (frontend & backend - basically everything) and I have no issues at all.

    Here are the steps to take (deactivate and remove all your other https related plugins you used before first):

    Updating WordPress Settings

    It is important that you do this step first. Doing these steps out of order can cause problems.

    Log into your dashboard and go to the "General Settings" page (Settings > General). Update both the "WordPress address" and "Site address" URLs to use the "https://" protocol rather than "http://".

    Updating Your .htaccess File

    Open up the .htaccess file and find a section that looks like the following.

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress

    Update this section to include the two new lines added below.

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress

    Updating Your Permalinks
    Clear your browser cache, then close and re-open it.
    Login to your dashboard and then go (Settings > Permalinks).
    Click "Save Changes" [This is to update your new URL protocol you set in the first step]

    Effectively this forces your site to always be secured.

    Hope this helps.

    Cheers
    Damian

  • Ian
    • The Incredible Code Injector

    Thanks Damian, excellent advice, worked great changing WP settings and .htaccess file.

    Does anyone know how to get the existing images placed in posts to use https as well?
    Currently images are still using http so gives the "secure and nonsecure content on same page" warning.

    Maybe a there is a plugin that can do site wide changes to url?

    Cheers, Ian

  • paperweight
    • The Incredible Code Injector

    I should add, in many circumstances you just search for:
    src="http://www.mydomain.com/wp-content/uploads/

    and replace with:
    src="https://www.mydomain.com/wp-content/uploads/

    But things may vary depending on what the sourcecode shows on your installation and how you may organize your directories.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.