WordPress Force SSL Administration

“See, you shouldn’t steel internet on a regular basis” I told my acquittance, “it’s not that it’s wrong – it’s just not safe.” I mean, think about it – you never know if the person running an open wifi node is an idiot or just pretends to be one. It’s fine to jump onto someones unsecured connection to do some casual browsing. In fact, it is recommended to use an open Wifi hotspot that cannot be traced to you for any and all large scale illegal downloading you may want to do. But your regular day to day browsing should be done over a connection you trust.

Why? Because you are likely to be sending private data in plain text over that network. If you ever see me running an open wifi node you can safely assume I am probably sitting thee with a packet sniffer collecting people’s facebook passwords so that I can log in into their accounts and change their profile pictures to Goatse with a caption: “I AM A STEALER OF THE INTERNETS”.

Actually, scratch that – I wouldn’t do that because I’m a nice guy. It’s not in my nature to do things like that and – I can’t really hide it. You can tell whether or not someone is a good guy that by observing how many sexy ladies there are in his orbit at any given time. If you see a guy who has more orbiting bodies than Jupiter, you can tell the dude is an incredible duchebag and a horrible human being. So you should probably hang out with him in hopes of intercepting one of the outlying satellites.

Are these astronomical relationship jokes doing anything for you? No? Well screw you then. The point is that Facebook and similar websites can be prime target for packet sniffing. So are things like POP email, IM clients and etc. You shouldn’t trust any network, including yours but suspiciously open wifi networks are the worst. How do you know the owner of your internet gateway doesn’t have it set up to log all the crap that goes through it. You don’t. Even if you think your neighbor Joe wouldn’t do such a thing, you can’t be sure that his nephew Sid who set up his wifi is not a diabolical jerk who collects peoples passwords for fun and profit.

When you are on a strange network you should be at least using SSL to make sure that things like passwords are not being sent in plain text. Most of the sites are pretty good about it and do serve their content via SSL. Most do not default to it though – facebook is a prime example here. The default login page is not encrypted. Furthermore and because of how the Application API works even if you log in over SSL the content you get served is mixed – parts of it come in un-encrypted so you are still leaking data.

Or even worse – what if, for example you are running a self hosted blog like me. Do you use SSL to log in? You do? Holly fucking shit! I don’t! I never actually thought about it, until few days ago!

Granted I don’t steal internet (like some of you people, you know who you are) but I do sometimes log in from school, work, and etc. This is not acceptable. So as you can imagine, the first thing I did after realizing this was to go and set up an SSL certificate for the blog. The second thing I did was to add this line to my wp-confing.php:

  define('FORCE_SSL_ADMIN', true);

What does this do? It forces wordpress to use SSL for all administrative functions and redirects all links accordingly. So for example if I get an email notification about a post in moderation queue I can hit the “approve” link and have WordPress automatically serve me the SSL encrypted page instead of an un-encrypted one. This makes me feel a little better about logging into my own website from networks I don’t actually own.

I still wouldn’t use someones insecure wifi connection though. Unless for torrents of course. Which is why you should should use WPA/WPA2 or better kids. Otherwise some jerk will use all of your available bandwidth to download tons of movies and video games without ever worrying about being caught.

This entry was posted in technology and tagged , . Bookmark the permalink.

5 Responses to WordPress Force SSL Administration

  1. IceBrain PORTUGAL Mozilla Firefox Debian GNU/Linux Terminalist says:

    I was thinking about doing the same thing in my phpBB forum, but I don’t think it supports SSL, so I will have to write another patch *sigh*.

    By the way, I share my Wifi network – it’s fine as long as you use a firmware that can be configured to use two different networks, one public and on private, and limits the bandwidth of the public one.
    But now here in Portugal we can get an unmetered connection for 24€/month, so it doesn’t really matter. :)

    Reply  |  Quote
  2. I see you went for the unique IP option then? Us readers can somewhat manually use SSL as well, once we get past the big certificate warning message.

    Reply  |  Quote
  3. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    @ IceBrain:

    Well, sharing is nice. Still, I wouldn’t trust a network I don’t know for “mission critical” stuff. For example, I don’t get people who use their neighbor’s open wifi connection as their primary source of the internet. I couldn’t live like that – it’s too unreliable and I would be concerned about all kinds of nasty worms the other computers on that network are likely infected with.

    Oh, btw – if you have full access to your server you can configure your apache or IIS to force SSL access to certain directories. So for example anything in /phpbb/admin/ would have to use SSL.

    I mainly did the wordpress hack because I’m on a shared server. Well that and I wanted it to automatically redirect to SSL based site when I click on links in my email.

    Reply  |  Quote
  4. Luke Maciak UNITED STATES Mozilla Firefox Linux Terminalist says:

    @ Chris Wellons:

    Hey, I just noticed your comment got eaten by the spam filter and was waiting to be rescued.

    Well, the unique IP thing seems to be the only way to actually get the certificate in place on a Dreamhost shared server. At least as far as I could tell.

    Sorry about the warning but I figured there was no real reason to pay for a certificate when the SSL setup is mostly for my use. If I was actually requiring people to log in to post comments I’d probably get a genuine one. But for what I’m using it, a self signed cert is good enough.

    Reply  |  Quote
  5. @ Luke Maciak: Oh, I didn’t mean that you should bother to get it signed in this case. You know your own certificate already, so no reason to give free money to an incompetent certificate authority! :-)

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *