Skip to content
Solely for the Purpose of Catching $PAMRZ

SSL for WordPress Admin and the Problem with XMLHttpRequest

Note! The updates to SSL handling in WordPress version 2.6 handle the problem of SSL-encrypted admin sessions in a much less hackish sort of way. It doesn’t make any sense to use this plugin with WordPress version 2.6 when you can simply add define(’FORCE_SSL_ADMIN’, true); to your wp-config.php file.

The WordPress Codex has documentation for running the login, registration, and administration interfaces on an SSL server. There is even a plug-in that will do much of the heavy lifting for you. I have found both of these methods, by themselves, to be rather unsatisfactory, though, in that admin services that rely on AJAX calls back to WordPress break (such as the periodic saving of drafts). What happens is this:

  1. Plugins will use the ’siteurl’ and/or ‘home’ values in the Options → General admin page, and that value is typically set to the “http://” rather than “https://” address of the blog.
  2. The URL that plugins construct to talk back to the WordPress installation will go to an “http” address instead of the SSL-encrypted “https” address.
  3. The admin page, loaded in the browser from the “https” address, attempts to talk back to the WordPress installation on a “http” address and triggers a exception. In Firefox, the error looks like this: Error: [Exception... "'Permission denied to call method XMLHttpRequest.open' when calling method: [nsIDOMEventListener::handleEvent]"...]

The security model in the browser prevents scripts on a page from using XMLHttpRequest1 back to any host on the internet except for the host where the script came from. In this case, the difference between “http://…” and “https://…” is enough to trigger the problem.

So I fixed it with plug-in that uses an undocumented hook in WordPress 2.3. If a plugin requests the value of ’siteurl’ or ‘home’, a filter is called to check if the requested page is on the SSL server. If it is, the filter changes the URL from ‘http’ to ‘https’. In that way, plug-ins will use the proper form of the URL.

< ?php
/*
Plugin Name: Fix Admin SSL
Plugin Script: fix_admin_ssl.php
Plugin URI: http://dltj.org/tag/fix_admin_ssl
Description: Fix the 'siteurl' and 'home' option values to make the protocol 'https' rather than 'http' when the page was requested with SSL.
Version: 1.0
License: GPL
Author: Peter Murray
Author URI: http://dltj.org/about
 
=== RELEASE NOTES ===
2008-02-18 - v1.0 - first version
*/
 
function fix_admin_ssl($url) {
  if ($_SERVER['HTTPS'] == 'on') {
    $url=preg_replace('/^http:\/\//','https://',$url);
  }
  return $url;
}
 
add_action ('option_siteurl', 'fix_admin_ssl', 1);
add_action ('option_home', 'fix_admin_ssl', 1);
 
?>

One downside to this plug-in, though, is that it will appear to change the values of ’siteurl’ and ‘home’ on the Options → General admin page. The values in the database are still the ‘http’ ones, but since the Options page is an admin page the filter will run when it pre-loads those form fields.

If there is interest, I can package up the above code into a legitimate plugin and submit it to the WordPress plugins list.

Footnotes

  1. See http://en.wikipedia.org/wiki/XMLHttpRequest for more information on XMLHttpRequest. []
(This post was updated on 31-Aug-2009.)

4 Comments

  1. John Fink | March 20, 2008 at 12:55 pm | Permalink

    We have been wrestling with admin SSL and AJAX calls on our wpmu install for, oh geez, months and months and months. If this does work, you are (once again) my hero. Honest. Hopefully it will function in wpmu like it does for your wp.

  2. the Jester | March 20, 2008 at 12:57 pm | Permalink

    I don’t know anything about WPmu specifically, but if it works for you, great! (Be sure to report back here one way or the other.)

  3. Ray | August 31, 2009 at 6:07 pm | Permalink

    I would like to see this plugin rather than hacking the plugins itself, which I have been doing!

  4. the Jester | August 31, 2009 at 7:02 pm | Permalink

    Ray — Fortunately, the plug-in isn’t required anymore…at least for the reasons I was originally using it. I was surprised to see that the PHP code for the plugin was no longer included in the text of the post. I was able to find an older version of the post, though, and restore the code. I hope you find it useful.

4 Trackbacks

  1. Kramer auto Pingback[...] on 20 Mar 2008 at 9:45 am1Peter Murray [...]

  2. Anonymous | June 30, 2008 at 9:33 pm | Permalink

    Kramer auto Pingback[...] 2008

  3. WordPress | September 29, 2009 at 12:50 am | Permalink

    Kramer auto Pingback[...] [...]

  4. Kramer auto Pingback[...] SSL for WordPress Admin and the Problem with XMLHttpRequest | Disruptive Library Technology Jester [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *
Human Detection Scheme
(What's this?)
Comment Preview

Additional comments powered by BackType

Subscribe without commenting

From the Disruptive Library Technology Jester (http://dltj.org/), printed on Tuesday the 9th of February 2010 at 6:17:47 AM EST (-0500). The URL to this page is http://dltj.org/article/wordpress-ssl-xmlhttprequest/

[Creative Commons Logo] This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.