Secure WordPress Login and Admin Dashboard with SSL (HTTPS)

iControlWP WordPress SecurityOne of iControlWP‘s goals is to help you make all your WordPress websites more secure.

Implementing good security principles isn’t difficult, but it’ll take you a long time to do on each site.

So far we’ve shown you that iControlWP can help keep your websites more secure by:

  1. regularly resetting the WordPress Authentication Keys and Salts.
  2. renaming your WordPress database table prefix to something other than the default.
  3. disabling the ability to edit files from within the WordPress dashboard.

These are serious security advantages that reduce your surface area to attack.

iControlWP lets you put these protections in place with just a click of a button.

WordPress has another useful option to sure-up your websites: SSL / HTTPS.

By the end of this article you’ll understand all you need to know about enabling SSL or HTTPS on your WordPress admin, and of course how to do it.

What’s the 1st thing you need to know about WordPress Admin and SSL?

The basic requirement for secure SSL logins to WordPress, and a secure SSL-based admin area, is the presence of an SSL certificate.

If your website doesn’t have this, it’s not going to work.

But all is not lost.. it is possible to use your web hosting control panel, or to ask your web host if you’re unsure how this is done, to create a “self-signed” SSL certificate.

The self-signed certificate is only for website admin and not for any other purpose – if you enable SSL on your whole WordPress site you’re going to have a few issues with your visitors.

Enabling SSL on a website is a much bigger topic than can be covered in this article, but I’ll assume that if you read on, you have a valid SSL certificate installed, whether certified/signed by a root certificate authority, or just self-signed.

WordPress Security Option 1: Force Login Over SSL

With this option enabled, the WordPress login is always forced over SSL. That means the URL for submitting the login form will begin with HTTPS://

If you don’t have an SSL certificate installed on your site (as mentioned earlier) you’ll face login problems so only do this if you’ve sorted this part out first.

Since WordPress normally login runs over unsecured HTTP:// connections, usernames and passwords are sent as clear text and easily readable by someone who is looking closely at the traffic.

Force SSL Login Form for WordPress

Force SSL Login Form for WordPress

With this option enabled, the problem of snooping is averted and you have a secure channel for submitting WordPress login information.

After this is enabled, you’ll know it’s working when you look at the source of your login form page (see image).

WordPress Security Option 2: Force Admin Over SSL

When this option is enabled, it forces the whole of the WordPress Admin area (including logins and registrations) to be served with SSL – i.e. over HTTPS.

This is the most ideal solution in terms of a secure connection, but again, you’ll need to have an SSL certificate installed for that site.

How to enable the FORCE_SSL security options on your WordPress sites – the easy way

Force SSL Admin / Login for WordPress

Force SSL Admin / Login for WordPress

As you probably know by now, iControlWP is by far the easiest way to manage many of your WordPress security options.

All you do is flick the switch, and iControlWP will go off and make the necessary changes for you on each of your sites.

If you don’t have a iControlWP account, or you don’t want to sign-up for the free one (that includes these security tools as standard), then you can follow the how-to guide below.

How to enable the FORCE_SSL options within WordPress – the hard way

When you use iControlWP to set this setting, you can turn it on and off quickly.

This is useful if 99% of the time you don’t use the editor, but sometimes you want to just quickly make an edit. iControlWP can let you turn off the setting, and then re-enable it as soon as you’re done.

But, if you want to do it manually, it’s easy. Here’s how:

1. Make a backup of your wp-config.php file.

If you’re using a WordPress backup system like WorpDrive, just fire off a backup, wait until it’s completed and continue on.

2. Open up your wp-config.php file for editing.

Download the wp-config.php from your website and open it up in your favourite text editor

3. Find the setting FORCE_SSL_LOGIN in your wp-config.php and change it to true

By default, this setting is not specified in the WordPress wp-config.php file. If you’ve never set this before, it wont be there, and you’ll have to add it yourself.

But you need to be careful where you add new configuration settings – you cannot add them to the end of the file.

A good place to do it is after the line that sets WP_DEBUG.

To enable this security setting, add the following line to your wp-config.php:

define( 'FORCE_SSL_LOGIN', true );

4. Repeat step 3 but for FORCE_SSL_ADMIN

Simply do what you did for step 3, but use this line:

define( 'FORCE_SSL_ADMIN', true );

5. Replace your wp-config.php

Save your wp-config.php file with the changes, and upload it back to your WordPress site.

You’re done!

Get the iControlWP Advantage Today – Free

This setting is also not a difficult security tasks, but made much easier when using iControlWP if you have many websites to manage and maintain.

iControlWP lets you manage your plugins, themes, and security (and much more) across all your WordPress websites from one convenient, secure, dashboard.

And it’s free to signup. No commitments, no credit cards.

Just good WordPress management.

Join the discussion 4 Comments

  • Anthony says:

    Hi Paul, great article! Thanks for the info here. I’m curious, if a site is configured so that the admin area is only accessible from specific ip addresses (via .htaccess), and the file editor in the admin area was disabled, would it still be a good idea to force SSL on the admin area as opposed to forcing SSL on just the login page?

    View Comment
  • […] Secure WordPress Login and Admin Dashboard with SSL (HTTPS … – Force SSL Admin and Force SSL Login are easy WordPress security features to set. … With this option enabled, the WordPress login is always forced over SSL. That means the URL for submitting the login form will begin with HTTPS:// […]

    View Comment
  • Rose says:

    Hello,
    Question – when I try to login to my wp admin backend, it’s saying it’s not secure. I never noticed this before and have all the newest versions of WP and my theme installed. How do I correct this issue? Do I have to install an SSL certificate? Will the free one that comes with my host be sufficient? Please let me know if you can help as I don’t want to log into my back end if it’s not secure. What should I do when I log in in order to protect my site?
    Thank you!

    View Comment

Leave a Reply