define(’FORCE_SSL_ADMIN’, true); to your wp-config.php file.The WordPress Codex has documentation for running the login, registration, and administration interfaces on an SSL server. There is even a plug-in that will do much of the heavy lifting for you. I have found both of these methods, by themselves, to be rather unsatisfactory, though, in that admin services that rely on AJAX calls back to WordPress break (such as the periodic saving of drafts). What happens is this:
- Plugins will use the ’siteurl’ and/or ‘home’ values in the Options → General admin page, and that value is typically set to the “http://” rather than “https://” address of the blog.
- The URL that plugins construct to talk back to the WordPress installation will go to an “http” address instead of the SSL-encrypted “https” address.
- The admin page, loaded in the browser from the “https” address, attempts to talk back to the WordPress installation on a “http” address and triggers a exception. In Firefox, the error looks like this: Error: [Exception... "'Permission denied to call method XMLHttpRequest.open' when calling method: [nsIDOMEventListener::handleEvent]“…]
The security model in the browser prevents scripts on a page from using XMLHttpRequest1 back to any host on the internet except for the host where the script came from. In this case, the difference between “http://…” and “https://…” is enough to trigger the problem.
So I fixed it with plug-in that uses an undocumented hook in WordPress 2.3. If a plugin requests the value of ’siteurl’ or ‘home’, a filter is called to check if the requested page is on the SSL server. If it is, the filter changes the URL from ‘http’ to ‘https’. In that way, plug-ins will use the proper form of the URL.
One downside to this plug-in, though, is that it will appear to change the values of ’siteurl’ and ‘home’ on the Options → General admin page. The values in the database are still the ‘http’ ones, but since the Options page is an admin page the filter will run when it pre-loads those form fields.
If there is interest, I can package up the above code into a legitimate plugin and submit it to the WordPress plugins list.
Footnotes
- See http://en.wikipedia.org/wiki/XMLHttpRequest for more information on XMLHttpRequest. [↩]





2 Comments
We have been wrestling with admin SSL and AJAX calls on our wpmu install for, oh geez, months and months and months. If this does work, you are (once again) my hero. Honest. Hopefully it will function in wpmu like it does for your wp.
I don’t know anything about WPmu specifically, but if it works for you, great! (Be sure to report back here one way or the other.)
2 Trackbacks
Post a Comment