SSL Self Certification and WordPress
I wanted to lock a single-site WordPress install down to use SSL admin because I’m a tin-foil hat wearing nerd. Or more to the point, I detest the idea of clear-texting passwords! Most of my problem was finding directions. See, I knew I had to add define('FORCE_SSL_ADMIN', true); to my wp-config.php file, but when I did that, I got an error:
Turns out I’d never turned on SSL for my server! My problem then became that I don’t want to shell out $100 a year for SSL when it’s just me no my server, no one else. Once I determined all I wanted was to create an SSL Self Signed Certificate on my server, which has WHM, it got a lot easier!
There are drawbacks to self-signing. Firstly, every time I login on a new browser, I have to tell it ‘Yes, trust me!’ That’s annoying. If I was using this for other things, I’d have to remember to type in httpd every time, but WordPress is smart enough to redirect that for me. Also, back in the day, Chrome was an idiot about them and wouldn’t let me use them! but I use self-signed without knowing it for ages, because my host set that up for cPanel and WebMail. I’m not a business, it doesn’t bother me. If I was, I’d charge more and shell out.
All that error means is that “Hey, ipstenu.org signed this, and I don’t know who that is!” If you read further on that page, there’s a link to ‘Help me understand!’ and it explains:
In this case, the certificate has not been verified by a third party that your computer trusts.
Which is 100% true. By self signing, I’m skipping 3rd party verification and telling you to trust me. Looks scary, it’s really not if you know what you’re doing. If you’re willing to deal with this error every time you login on a new computer, then you too can SSL yourself to a little more safety!
These directions will only help you if you’re using a VPS or dedicated server. You’re going to do all the work in WebHost Manager.
- Go to Main >> SSL/TLS >> Generate a SSL Certificate and Signing Request
- Fill in the fields – the passwords have to be alphanumeric, and remember to use the right domain. If you use www.example.com as your default, use that. I use just example.com for all my sites so I did that.
- Save the data to a text document.
- Go to Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain
- Import your certificate data (or paste in from text)
- Select Submit
If it works, Apache will restart and you’re done! If not, you have to read the error. My problem came with the domain details:
I was able to skip steps 1-3 and just go right to ‘browse’ since, apparently, at some point I’d done them before. The problem was for my second site, it’s on my shared IP, which meant I had to put in the User of ‘nobody’ instead of the user name. Not a big deal.
After that, I was done and could log in to my site via SSL!
But wait… What about MultiSite? Well if you’re using subfolders, this is great. Subdomains, however… See the host name has got to be the domain name: halfelf.org in this case. So if I wanted to make one for all my subdomains… Owch.
Then I thought that maybe, just maybe, the computers were smart enough on their own. So I did this:
And then this:
Now, since I already had an ipstenu.org cert, I had to delete that one first. But once I did it, I was done. I turned my multi-site into something a little more secure!
And now you can too.
I also started using self-signed certificates on my VPS, but unlike you I don’t use subdomains for my different sites … they each have a fully-qualified domain name and are mapped using the MU Domain Mapping plugin. It still works, with one major gotchas – I had to manually upgrade Apache to support multiple SSL vhosts. Apparently you’re supposed to put different SSL hosts on different IPs, so this part was tricky. But it worked.
If I really wanted to buy a certificate, there are sellers who do Unified Communications Certificates (multiple domains) for ~$50/year. If you want to secure one domain (not subdomains, just a single dot-com), there’s a company called Start SSL who will let you do that for free.
Oh yeah, they don’t like multiple hosts on one IP. I noticed that too (which is silly in this day and age!) and probably the real reason I had to delete ipstenu.org to add *.ipstenu.org
Sidebar – After doing that, my clicky smilies (the ones right above the comment field) went away! In fact, every single plugin that handled that sort of thing (I tried 6 last night) broke. I couldn’t reproduce it on my localhost site, though. And it broke on my 3.3-svn site, and my 3.2.1 site!
What was it? Well all the plugins for this call
admin_url('admin-ajax.php'),and the admin_url is what now? Oh yes, SSL. So I changed it toadmin_url('admin-ajax.php', 'http'),and it works!Holy crap! Why had I not thought if this before!!!
Thanks for pointing this out.
Duly book marked till I have time to implement this.
Of course, now I have to do it all over with my new server.
I attempted it this morning. Things didn’t go well
cPanel told me I needed to have a dedicated IP to assign a certificate to the account. So I changed the IP address for my multi-site network ….. BOOM! cPanel errors were served on ALL of the sites on the network
Changed IP address back and it all seems to be working again, but a rather unsuccessful attempt 
Well that turned out to be much simpler than I thought!
I already had a self-signed certificate. All I had to do was add define(‘FORCE_SSL_ADMIN’, true); to wp-config.php and it worked automatically
[...] of the primary domain as the admin URL for each sub-domain.This post was heavily inspired by a similar post by Mika Epstein. Mika is an awesome contributor to the WordPress project and can often be found helping out in the [...]
I made some more details instructions specifically for those with cPanel setups:
http://pixopoint.com/2011/10/08/using-ssl-in-wordpress-admin/