New to the community? Start here

How to secure wp-signup.php with SSL?

Am hoping the question is self explanatory. I have SSL setup and working perfectly via the Wordpress HTTPS plugin, but I can't find a way to designate a core WP file (non-login) as one to be encrypted. Can anyone help? TIA.

Vinod Dalvi
- WP Unicorn: Earn your WPMU DEV membership
- 1,565 pts: Hero points 17,482 pts: Rep. points LEVEL 29
Hi Burlington,

Thank you for your another question today.

To achieve this could you please try using the solution posted in the following reply?

https://premium.wpmudev.org/forums/topic/https-on-wp-adminadmin-ajaxphp#post-701070

Best Regards,
Vinod Dalvi
Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
Thanks much for the fast reply, Vinod. I added the 'define' statement to my config file, but there is no change.

/wp-signup.php still loads unencrypted unless the url starts with https://.
Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
Almost want to let you off the hook with this problem, Vinod. You've designed a beautiful solution on another thread that lets me bypass /wp-signup.php for the first blog created by a user. I'll only use this page now when a user creates an additional blog, which is a rare occurrence. Please do resolve this if you can, as others may need a solution as well, but the pressure is off. Thanks much for your efforts.
Ash
- WordPress Hacker: Earn your WPMU DEV membership
- 3,443 pts: Hero points 35,301 pts: Rep. points LEVEL 30
Hello @Burlington Avenue

I hope you are well today. Would you please try the following in your htaccess:
```
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/wp-signup.php?
RewriteRule ^(.*)$ https://www.DOMAIN.com/$1 [R,L]
```
Don't forget to change your domain name :slight_smile:

Hope it helps :slight_smile: Please feel free to ask more question if you have any.

Cheers
Ash

Burlington Avenue

Site Builder, Child of Zeus: Earn your WPMU DEV membership

86 pts: Hero points 237 pts: Rep. points LEVEL 4

Thanks, Ash. My .htaccess file contains a statement affecting /wp-signup.php, for redirecting to a custom file, so I'm leery of adding these new statements without checking. Under some caching statements, my file states:

# BEGIN WordPress
RedirectMatch 301 ^/blog/([0-9]{4})/([0-9]{2})/([0-9]{2})/([^/]+)/$ http://example.com/$4
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# redirect to custom signup form
RewriteRule ^wp-signup.php(.*)$ wp-content/themes/[my-theme]/wp-signup.php$1

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress

Where do I add the new statements? Thanks.

Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
Any suggestions on where in my .htaccess file to add the new statements? TIA.
Vinod Dalvi
- WP Unicorn: Earn your WPMU DEV membership
- 1,565 pts: Hero points 17,482 pts: Rep. points LEVEL 29
Hi @Burlington Avenue,

You can add the provided code before the following line of code in your .htaccess file.

</IfModule>

Also please try adding the following code in your wp-config.php file.

define( 'FORCE_SSL_LOGIN', TRUE );

Regards,
Vinod Dalvi
Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
Thanks, Vinod. Still no change. The page loads with http://.

Ash

WordPress Hacker: Earn your WPMU DEV membership

3,443 pts: Hero points 35,301 pts: Rep. points LEVEL 30

Hello @Burlington Avenue

Please try the following htacess, I have just tried and worked for me:

# BEGIN WordPress
RedirectMatch 301 ^/blog/([0-9]{4})/([0-9]{2})/([0-9]{2})/([^/]+)/$ http://example.com/$4
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_URI} ^/wp-signup.php?
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# redirect to custom signup form
RewriteRule ^wp-signup.php(.*)$ wp-content/themes/[my-theme]/wp-signup.php$1

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress

Hope it helps :slight_smile: Please feel free to ask more question if you have any.

Cheers
Ash

Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
The file attempts to load with https:// (I see it in address bar) but I get a redirect loop.
Ash
- WordPress Hacker: Earn your WPMU DEV membership
- 3,443 pts: Hero points 35,301 pts: Rep. points LEVEL 30
Do you have SSL installed and configured for your site? Would you please post an URL of your site?

Cheers
Ash
- Burlington Avenue
  - Site Builder, Child of Zeus: Earn your WPMU DEV membership
  - 86 pts: Hero points 237 pts: Rep. points LEVEL 4
  Yes, I have wildcard SSL that works fine. Rather not post the url, but I have a shopping cart, certain other pages and all subsites that load with https://, as well as login and admin pages. The only problem is with those front-end pages that are core Wordpress. So defining admin and login as true can't touch them, nor using the Wordpress HTTPS to encrypt specific pages.
Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
FYI, both admin and login are defined as true in wp-config.php. I am also using Wordpress HTTPS plugin with Force SSL Admin and Force SSL Exclusively checked.

Ash

WordPress Hacker: Earn your WPMU DEV membership

3,443 pts: Hero points 35,301 pts: Rep. points LEVEL 30

Hello @Burlington Avenue

If you remove my code and try to visit the signup page using https:// does it load? If it does, please try the following:

# BEGIN WordPress
RedirectMatch 301 ^/blog/([0-9]{4})/([0-9]{2})/([0-9]{2})/([^/]+)/$ http://example.com/$4
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/wp-signup.php?
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# redirect to custom signup form
RewriteRule ^wp-signup.php(.*)$ wp-content/themes/[my-theme]/wp-signup.php$1

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress

or this one:

# BEGIN WordPress
RedirectMatch 301 ^/blog/([0-9]{4})/([0-9]{2})/([0-9]{2})/([^/]+)/$ http://example.com/$4
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/wp-signup.php?
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
# redirect to custom signup form
RewriteRule ^wp-signup.php(.*)$ wp-content/themes/[my-theme]/wp-signup.php$1

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>

# END WordPress

Please let me know if it works.

Cheers
Ash

Burlington Avenue
- Site Builder, Child of Zeus: Earn your WPMU DEV membership
- 86 pts: Hero points 237 pts: Rep. points LEVEL 4
It's a beautiful thing, man. First solution above worked perfectly. Thanks much for the great tech support!