To improve the security over your sites, it is suggested to use SSL. In my case, my goal was to use a secure connection for login, admin and registration purposes. Hence, there was no need to encrypt all my content. My current WordPress version is 4.6.1.
My site runs on intranet so I was not able to integrate Let’s Encrypt to my site. The good thing, this site provides free SSL certificates, which expire in three months. You should manually or automatically update your certificates once you are into this. Note: it is important that you have a domain name that can be resolved with a public DNS server, otherwise you don’t have a chance to use Let’s Encrypt (as in my case!).
A better way to solve my problem was to generate a self-signed certificate. I have tried this on an Ubuntu 14.04 with an Apache server. I host a WordPress site on top of it. The steps are simple:
- Check that you have “openssl” installed. It is most probably installed here: “/usr/bin/openssl”. If it is not installed, you can install it as follows:
$ apt-get install openssl
- Create a folder to store the generated files:
$ sudo mkdir /etc/apache2/ssl
- Generate the files. The certificate will be active for a year. (do not forget to update it when needed!):
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
- When you hit ENTER, you will be asked the following questions:
Country Name (2 letter code) [AU]: TR State or Province Name (full name) [Some-State]: Istanbul Locality Name (eg, city) : Istanbul Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Organizational Unit Name (eg, section) : Your Department Common Name (e.g. server FQDN or YOUR name) :your_domain.com OR ip address Email Address : email@example.com
- Copy generated files to the required Apache folders:
$ cp /etc/apache2/ssl/apache.crt /etc/ssl/certs/ssl.crt $ cp /etc/apache2/ssl/apache.key /etc/ssl/private/ssl.key
- Enable Apache’s SSL module, activate default configuration and restart Apache:
$ sudo a2enmod ssl $ sudo a2ensite default-ssl $ sudo service apache2 restart
- Add the following line to your wp-config.php file to enable SSL on Login and Admin pages of WordPress.
Very important note: You should add this line BEFORE “require_once(ABSPATH . ‘wp-settings.php’);” line:
- Optional: You can define a cron job to automatically renew expired certificates.
Once you are done with all these steps, try to login to your website: http://DOMAIN-NAME/wp-login.php, DOMAIN-NAME is you web site address. You will realize that you are automatically redirected to https://DOMAIN-NAME/wp-login.php. In this way, you can secure your WordPress installation.
The 7th step did not work well in my case because I tried to add this line to the end of my config file. On WordPress Codex documentation, it was written that this should be added before the final require part.
Things that you don’t need to do:
* Install WordPress SSL plugin to make the same things. Don’t do this, the developers have updated the plugin four years ago. It may damage your wordpress installation.
* Update .htaccess file for redirections. There is no need for this. Wrong RewriteRules can make things worse!
* You don’t have to add the following to your wp-config file since it is deprecated in WordPress v4.0. FORCE_SSL_ADMIN is enough to do the trick.
The following sites helped me to solve my problem and write this post! 🙂