I wanted to lock a single-site WordPress install down to use SSL admin because I’m a tin-foil hat wearing nerd. Or more to the point, I detest the idea of clear-texting passwords! Most of my problem was finding directions. See, I knew I had to add
define('FORCE_SSL_ADMIN', true); to my
wp-config.php file, but when I did that, I got an error:
Turns out I’d never turned on SSL for my server! My problem then became that I don’t want to shell out $100 a year for SSL when it’s just me no my server, no one else. Once I determined all I wanted was to create an SSL Self Signed Certificate on my server, which has WHM, it got a lot easier!
There are drawbacks to self-signing. Firstly, every time I login on a new browser, I have to tell it ‘Yes, trust me!’ That’s annoying. If I was using this for other things, I’d have to remember to type in httpd every time, but WordPress is smart enough to redirect that for me. Also, back in the day, Chrome was an idiot about them and wouldn’t let me use them! but I use self-signed without knowing it for ages, because my host set that up for cPanel and WebMail. I’m not a business, it doesn’t bother me. If I was, I’d charge more and shell out.
All that error means is that “Hey, ipstenu.org signed this, and I don’t know who that is!” If you read further on that page, there’s a link to ‘Help me understand!’ and it explains:
In this case, the certificate has not been verified by a third party that your computer trusts.
Which is 100% true. By self signing, I’m skipping 3rd party verification and telling you to trust me. Looks scary, it’s really not if you know what you’re doing. If you’re willing to deal with this error every time you login on a new computer, then you too can SSL yourself to a little more safety!
These directions will only help you if you’re using a VPS or dedicated server. You’re going to do all the work in WebHost Manager.
- Go to Main >> SSL/TLS >> Generate a SSL Certificate and Signing Request
- Fill in the fields – the passwords have to be alphanumeric, and remember to use the right domain. If you use www.example.com as your default, use that. I use just example.com for all my sites so I did that.
- Save the data to a text document.
- Go to Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain
- Import your certificate data (or paste in from text)
- Select Submit
If it works, Apache will restart and you’re done! If not, you have to read the error. My problem came with the domain details:
I was able to skip steps 1-3 and just go right to ‘browse’ since, apparently, at some point I’d done them before. The problem was for my second site, it’s on my shared IP, which meant I had to put in the User of ‘nobody’ instead of the user name. Not a big deal.
After that, I was done and could log in to my site via SSL!
But wait… What about MultiSite? Well if you’re using subfolders, this is great. Subdomains, however… See the host name has got to be the domain name: halfelf.org in this case. So if I wanted to make one for all my subdomains… Owch.
Then I thought that maybe, just maybe, the computers were smart enough on their own. So I did this:
And then this:
Now, since I already had an ipstenu.org cert, I had to delete that one first. But once I did it, I was done. I turned my multi-site into something a little more secure!
And now you can too.