How to automatically redirect the WordPress login and admin pages from HTTP to HTTPS
I always get worried every time I have to login to a website over a non-SSL enabled connection. When my blog didn’t support SSL (before I migrated from a shared host to my own VPS) and I had to work on it at a coffee shop, I would sometimes change my password when I get home, which of course is still not that secure as my blog is hosted outside my local network which I have no control over.
A computer with a network card (wired or wireless) that supports promiscuous mode can easily sniff out packets coming in and out of other devices on the same local network the computer belongs to using tools like Wireshark. So if you’re using a public wireless access point, for example, other computers connected to that same wireless access point could see the data you’re sending and receiving over the network.
Even if the login form hashes the password first (using one-way hashing algorithms such as MD5 or SHA-1), most users probably have passwords that aren’t that strong/complex, allowing the attacker to brute-force the hashed passwords in a reasonable amount of time. Advancement in GPU technology and tools like IGHashGPU make cracking passwords much, much faster.
There are also tools like Firesheep for Firefox which allows attackers to impersonate you by hijacking your session cookies since its content can be retrieved in plain text over an unencrypted connection.
Automatically redirecting all WordPress pages that send out authentication-related information from HTTP to HTTPS could prevent these types of attacks.
If you have full control over your WordPress installation, this is very easy to do. Just edit the wp-config.php file in the root directory of your WordPress installation and add the highlighted line below before /* That’s all, stop editing! Happy blogging. */.
define('WP_DEBUG', false); /** * Force SSL on login and admin pages. */ define('FORCE_SSL_ADMIN', true); /* That's all, stop editing! Happy blogging. */ /** Absolute path to the WordPress directory. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/');
More information can be found here: http://codex.wordpress.org/Administration_Over_SSL
If you don’t have full control over your WordPress installation (such as in a shared hosting environment), you can give this plugin a try: http://wordpress.org/extend/plugins/wordpress-https/