WordPress – HTTPS for /wp-admin/ and HTTP for everything else

.htaccessapache-2.2httphttpsWordpress

I'm running a WordPress site on a shared Apache server on Dreamhost. I already have define('FORCE_SSL_ADMIN', true); set (and working) in my wp-config.php so that SSL is used for the /wp-admin/ directory.

Can you point me to a .htaccess set of rules that will still maintain /wp-admin/ over https, but redirect any other directory/URL to use http? All help is appreciated. Thanks.

Best Answer

RewriteCond %{REQUEST_URI} !^/wp-admin/
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} (.*)
RewriteRule ^/(.*) http://%1/$1 [L,R,QSA]

Note that if your admin interface loads images, CSS, JS, etc. out of a directory other than /wp-admin/ (which by default it does), this will probably make a warning appear on your browser (and will likely compromise the security you were trying to gain). You can add something like:

RewriteCond %{REQUEST_URI} !\.(js|css|jpg|gif|png)$

to resolve that, just keep adding extensions until you've got everything covered.

Related Solutions

WordPress – Wrong urls at wp-admin at wordpress with subdirectory and proxy

The absolute (and wrong) paths are in the content generated by WordPress - there's no way to rewrite them with Apache (how would Apache know which blog is meant when a client asks for /wp-content?).

Modifying the site URL in the WordPress config is the correct path.

For the blog1 instance:

define('WP_SITEURL', 'http://example.com/blog');

For the blog2 instance:

define('WP_SITEURL', 'http://example.com/other-blog');

What have you tried, and what behavior did you see?

.htaccess rewrite http to https results in loop

I found out from the server admins that they terminate SSL with Pound on this server. What that means is that SSL works, but the HTTP_SERVER variables do not reflect the values that I expected. SERVER_PORT will always be 80 and HTTPS will always be off regardless of the true state of things.

When using mod_rewrite, dump out your server variables to see what you can test with your RewriteCond's. See http://www.askapache.com/htaccess/crazy-advanced-mod_rewrite-tutorial.html#PHP_Code_access_Apache_Variables

You can also redirect http to https using most programming languages. I have Drupal's 443session module working with this site--it uses that approach. (I didn't have to tell the module to set up rules even though it couldn't detect that HTTPS was on.)

Make sure you use secure session cookies too. You need them in addition to mod_ssl to prevent session hijacking.

For Drupal this is old, but good http://drupalscout.com/knowledge-base/drupal-and-ssl-multiple-recipes-possible-solutions-https I think drupal.org/project/443session is the best module option currently.

Best Answer

Related Solutions

WordPress – Wrong urls at wp-admin at wordpress with subdirectory and proxy

.htaccess rewrite http to https results in loop

Related Topic