Last time I’ve been working on my WordPress installation security. I added a few layers of high-level-security-paranoia. One of those was moving admin-panel to another TCP port (this was because I got only 1 public IP addr on this VPS and that means only one SSL legit certificate on 443 port. So – each SSL webservice on my server is now binded to a different TCP port and those are ‘SSL green’ ;) ).
Running admin panel over SSL is a thing which has already been described on a many websites:
- http://codex.wordpress.org/Administration_Over_SSL
- http://www.wpbeginner.com/wp-tutorials/how-to-secure-your-wordpress-pages-with-ssl/
- http://support.godaddy.com/help/article/6922/using-an-ssl-with-your-wordpress-admin-control-panel
But I haven’t found any article about running Admin Panel over SSL on different port than the website. So I took a deep dive (oh not that deep) into WordPress code and found, that it’s really that simple ;) Assuming my admin panel is running on TCP/445 port and website is as usual on TCP/80 all i had to do was this chunk of PHP code (maybe not that clean, but it’s just working fine) – put it in wp-config.php file:
12345if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' && isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT']==445){define('WP_HOME','https://maciek.lasyk.info:445/sysop');define('WP_SITEURL','https://maciek.lasyk.info:445/sysop');}References:
Archiwum tagów: ssl
Moving WordPress admin panel to another TCP port (with SSL)
Apache SSL cipher / protocol hardening [en only]
While preparing to the RHCE exam I rechecked my standard SSL configurations and came to conclusion, that I should probably update my SSLCipherSuite value. I also updated SSLProtocol and switched SSLHonorCipherOrder in the way that the server’s preference of SSLCipherSuite is used instead of the browser’s:
1 2 3 |
SSLProtocol -ALL +TLSv1 SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH |
As You can see I also disabled SSLv3 in the SSLProtocol. Why? Because even IE8 on Windows XP uses TLSv1 :) You could also enter +TLSv1.1 or even +TLSv1.2 when using appropriate version of OpenSSL.
Read more at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
After applying changes make sure that new config will pass SSL tests https://www.ssllabs.com/ssltest/index.html
Bezpieczna administracja WordPressem via SSL / HTTPS
Nie będę może wspominał dlaczego należy zabezpieczać sesje administracyjne dowolnych usług webowych (i nie tylko webowych..). Pamiętaj – wielki brat patrzy, więc nie pozwalajmy na to aby wszystko co robimy było łatwe do przechwycenia.
Samo zabezpieczenie SSLem WordPressa jest dość proste – sprowadza się do uruchomienia obsługi SSL dla wybranego vhosta w serwerze WWW (np. Apache). Sam WordPress pod SSLem powinien zadziałać z miejsca – bez żadnej dodatkowej konfiguracji.
Jednakże – istotne jest, aby SSLa wymusić. Sposobów jest kilka – możemy użyć mod_rewrite dla strony nie SSLowej i przekierować ją na SSL w przypadku gdy użytkownik używa skryptów w katalogu wp-admin (httpd.conf bądź .htaccess):
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule “^(/wp-admin/.*)” “https://%{HTTP_HOST}$1” [R=301,L]
Lub prościej – edytując wp-config.php – dodajemy wpis:
define(‘FORCE_SSL_ADMIN’, true);
gdzieś przed:
require_once(ABSPATH . ‘wp-settings.php’);
Tyle powinno wystarczyć..