Tag Archives: ssl

Moving WordPress admin panel to another TCP port (with SSL)

Wordpress logo

Last time I’ve been working on my WordPress installation security. I added a few layers of high-level-security-paranoia. One of those was moving admin-panel to another TCP port (this was because I got only 1 public IP addr on this VPS and that means only one SSL legit certificate on 443 port. So – each SSL webservice on my server is now binded to a different TCP port and those are ‘SSL green’ ;) ).

Running admin panel over SSL is a thing which has already been described on a many websites:

But I haven’t found any article about running Admin Panel over SSL on different port than the website. So I took a deep dive (oh not that deep) into WordPress code and found, that it’s really that simple ;) Assuming my admin panel is running on TCP/445 port and website is as usual on TCP/80 all i had to do was this chunk of PHP code (maybe not that clean, but it’s just working fine) – put it in wp-config.php file:

References:

Apache SSL cipher / protocol hardening

While preparing to the RHCE exam I rechecked my standard SSL configurations and came to conclusion, that I should probably update my SSLCipherSuite value. I also updated SSLProtocol and switched SSLHonorCipherOrder in the way that the server’s preference of SSLCipherSuite is used instead of the browser’s:

As You can see I also disabled SSLv3 in the SSLProtocol. Why? Because even IE8 on Windows XP uses TLSv1 :) You could also enter +TLSv1.1 or even +TLSv1.2 when using appropriate version of OpenSSL.

Read more at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html

After applying changes make sure that new config will pass SSL tests https://www.ssllabs.com/ssltest/index.html

Safe WordPress management via SSL / HTTPS

Why would You like to secure Your wp-admin session with SSL? Remember – Big Brother is always watching – so don’t make his life easy.

In order to use SSL in wp-admin the morst important thing is to enable SSL in WWW server’s vhost (eg. Apache). When SSL is turned on for Your WordPress domain it will work just out of the box.

So what is also important here? You should always make users use SSL in wp-admin sessions. So make it obligatory. You can do it using mod_rewrite in Apache webserver (httpd.conf or .htaccess):

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule “^(/wp-admin/.*)” “https://%{HTTP_HOST}$1” [R=301,L]

Or simplier – editing Your wp-config.php file – add below line:

define(‘FORCE_SSL_ADMIN’, true);

somewhere before the folliwing line:

require_once(ABSPATH . ‘wp-settings.php’);

And that should do the trick!