I discovered that WordPress doesn’t support outputting secure (HTTPS) links for the login, admin, and registration pages. SSL seeems to be an all-or-nothing thing for them. It also doesn’t provide a way to limit your session cookies being only sent over a secure link. Since I do all my editing over secure links (there is customer data on this site!), this irked me a bit, so I looked for ways to work around it.
Jürgen Kreileder has a great blog entry on how to hack Wordpress to use secure administration pages. Alas, it does more than I want (comment spam management) and my web server doesn’t run the mod_proxy required to complete the URL output rewriting. I had to do something a bit more… sinister (read: hackish).
Theory:
- use part of Kreileder’s hack (see above) for ensuring the cookies are secure, the auth_redirect goes to a secure page, the admin_referrer check is for a secure page, and chuck the rest of it.
- replace the mod_proxy output link rewriting with an extremely hackish change to wp-config.php (the only file of which I’m aware that is included in every other page), buffering the output of the page via PHP’s ob_start and then going through and rewriting and “http://” links to sensitive pages with “https://” links. (I’m going to programmer’s hell for this.)
- a fairly simple .htaccess rewrite block to redirect insecure access to sensitive pages to their secure versions
It’s not pretty, but it works. Caveat emptor!
This won’t work, of course, if you have WordPress set to serve up gzipped pages if the user’s browser requests them (the output buffer function sees the gzipped data). See your WordPress Options on the bottom of the Reading page.
One could put the ob_start call below the
gzip_compressioncall in wp-blog-header.php and it would work. (Actually, this is what I did, along with moving theRewriteSecureUrlsdefinition to my-hacks.php and enabling legacy my-hacks support in the WordPress options.Comment by jon — 2006.Apr.9 @ 23:25