define(’FORCE_SSL_ADMIN’, true); to your wp-config.php file.The WordPress Codex has documentation for running the login, registration, and administration interfaces on an SSL server. There is even a plug-in that will do much of the heavy lifting for you. I have found both of these methods, by themselves, to be rather unsatisfactory, though, in that admin services that rely on AJAX calls back to WordPress break (such as the periodic saving of drafts). What happens is this:
- Plugins will use the ’siteurl’ and/or ‘home’ values in the Options → General admin page, and that value is typically set to the “http://” rather than “https://” address of the blog.
- The URL that plugins construct to talk back to the WordPress installation will go to an “http” address instead of the SSL-encrypted “https” address.
- The admin page, loaded in the browser from the “https” address, attempts to talk back to the WordPress installation on a “http” address and triggers a exception. In Firefox, the error looks like this: Error: [Exception... "'Permission denied to call method XMLHttpRequest.open' when calling method: [nsIDOMEventListener::handleEvent]"...]
The security model in the browser prevents scripts on a page from using XMLHttpRequest1 back to any host on the internet except for the host where the script came from. In this case, the difference between “http://…” and “https://…” is enough to trigger the problem.
So I fixed it with plug-in that uses an undocumented hook in WordPress 2.3. If a plugin requests the value of ’siteurl’ or ‘home’, a filter is called to check if the requested page is on the SSL server. If it is, the filter changes the URL from ‘http’ to ‘https’. In that way, plug-ins will use the proper form of the URL.
< ?php /* Plugin Name: Fix Admin SSL Plugin Script: fix_admin_ssl.php Plugin URI: http://dltj.org/tag/fix_admin_ssl Description: Fix the 'siteurl' and 'home' option values to make the protocol 'https' rather than 'http' when the page was requested with SSL. Version: 1.0 License: GPL Author: Peter Murray Author URI: http://dltj.org/about === RELEASE NOTES === 2008-02-18 - v1.0 - first version */ function fix_admin_ssl($url) { if ($_SERVER['HTTPS'] == 'on') { $url=preg_replace('/^http:\/\//','https://',$url); } return $url; } add_action ('option_siteurl', 'fix_admin_ssl', 1); add_action ('option_home', 'fix_admin_ssl', 1); ?>
One downside to this plug-in, though, is that it will appear to change the values of ’siteurl’ and ‘home’ on the Options → General admin page. The values in the database are still the ‘http’ ones, but since the Options page is an admin page the filter will run when it pre-loads those form fields.
If there is interest, I can package up the above code into a legitimate plugin and submit it to the WordPress plugins list.
Footnotes
- See http://en.wikipedia.org/wiki/XMLHttpRequest for more information on XMLHttpRequest. [↩]
![[Creative Commons Logo]](/wp-content/themes/local/cc-by-na-sa-30-us-88x31.png){kind=small}
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
4 Comments
We have been wrestling with admin SSL and AJAX calls on our wpmu install for, oh geez, months and months and months. If this does work, you are (once again) my hero. Honest. Hopefully it will function in wpmu like it does for your wp.
I don’t know anything about WPmu specifically, but if it works for you, great! (Be sure to report back here one way or the other.)
I would like to see this plugin rather than hacking the plugins itself, which I have been doing!
Ray — Fortunately, the plug-in isn’t required anymore…at least for the reasons I was originally using it. I was surprised to see that the PHP code for the plugin was no longer included in the text of the post. I was able to find an older version of the post, though, and restore the code. I hope you find it useful.
4 Trackbacks
Post a Comment