Tag Archives: wordpress

Moving WordPress admin panel to another TCP port (with SSL)

Wordpress logo

Last time I’ve been working on my WordPress installation security. I added a few layers of high-level-security-paranoia. One of those was moving admin-panel to another TCP port (this was because I got only 1 public IP addr on this VPS and that means only one SSL legit certificate on 443 port. So – each SSL webservice on my server is now binded to a different TCP port and those are ‘SSL green’ ;) ).

Running admin panel over SSL is a thing which has already been described on a many websites:

But I haven’t found any article about running Admin Panel over SSL on different port than the website. So I took a deep dive (oh not that deep) into WordPress code and found, that it’s really that simple ;) Assuming my admin panel is running on TCP/445 port and website is as usual on TCP/80 all i had to do was this chunk of PHP code (maybe not that clean, but it’s just working fine) – put it in wp-config.php file:

References:

WordPress plugin Random Posts Widget Configurable is misbehaving

I was looking for some WP plugin that generates widget with a list of random posts in the sidebar. First hit was Random Posts Widget Configurable – so I downloaded and installed it. Works fine – but there was some border I didn’t like to decided so remove it. While lurking into the code I spotted this one:

Seriously? Some shop AD? There is already some posts about it on WP site: http://wordpress.org/support/view/plugin-reviews/random-posts-widget-configurable

So – remember to check the code of plugins You use. I’ll try to write a post about WordPress security – It could be helpful for some of You.

Safe WordPress management via SSL / HTTPS

Why would You like to secure Your wp-admin session with SSL? Remember – Big Brother is always watching – so don’t make his life easy.

In order to use SSL in wp-admin the morst important thing is to enable SSL in WWW server’s vhost (eg. Apache). When SSL is turned on for Your WordPress domain it will work just out of the box.

So what is also important here? You should always make users use SSL in wp-admin sessions. So make it obligatory. You can do it using mod_rewrite in Apache webserver (httpd.conf or .htaccess):

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule “^(/wp-admin/.*)” “https://%{HTTP_HOST}$1” [R=301,L]

Or simplier – editing Your wp-config.php file – add below line:

define(‘FORCE_SSL_ADMIN’, true);

somewhere before the folliwing line:

require_once(ABSPATH . ‘wp-settings.php’);

And that should do the trick!