One of iControlWP‘s goals is to help you make all your WordPress websites more secure.
Implementing good security principles isn’t difficult, but it’ll take you a long time to do on each site.
So far we’ve shown you that iControlWP can help keep your websites more secure by:
- regularly resetting the WordPress Authentication Keys and Salts.
- renaming your WordPress database table prefix to something other than the default.
- disabling the ability to edit files from within the WordPress dashboard.
These are serious security advantages that reduce your surface area to attack.iControlWP lets you put these protections in place with just a click of a button.
WordPress has another useful option to sure-up your websites: SSL / HTTPS.
By the end of this article you’ll understand all you need to know about enabling SSL or HTTPS on your WordPress admin, and of course how to do it.
What’s the 1st thing you need to know about WordPress Admin and SSL?
The basic requirement for secure SSL logins to WordPress, and a secure SSL-based admin area, is the presence of an SSL certificate.
If your website doesn’t have this, it’s not going to work.
But all is not lost.. it is possible to use your web hosting control panel, or to ask your web host if you’re unsure how this is done, to create a “self-signed” SSL certificate.
The self-signed certificate is only for website admin and not for any other purpose – if you enable SSL on your whole WordPress site you’re going to have a few issues with your visitors.
Enabling SSL on a website is a much bigger topic than can be covered in this article, but I’ll assume that if you read on, you have a valid SSL certificate installed, whether certified/signed by a root certificate authority, or just self-signed.
WordPress Security Option 1: Force Login Over SSL
With this option enabled, the WordPress login is always forced over SSL. That means the URL for submitting the login form will begin with
If you don’t have an SSL certificate installed on your site (as mentioned earlier) you’ll face login problems so only do this if you’ve sorted this part out first.
Since WordPress normally login runs over unsecured HTTP:// connections, usernames and passwords are sent as clear text and easily readable by someone who is looking closely at the traffic.
With this option enabled, the problem of snooping is averted and you have a secure channel for submitting WordPress login information.
After this is enabled, you’ll know it’s working when you look at the source of your login form page (see image).
WordPress Security Option 2: Force Admin Over SSL
When this option is enabled, it forces the whole of the WordPress Admin area (including logins and registrations) to be served with SSL – i.e. over HTTPS.
This is the most ideal solution in terms of a secure connection, but again, you’ll need to have an SSL certificate installed for that site.
How to enable the FORCE_SSL security options on your WordPress sites – the easy way
As you probably know by now, iControlWP is by far the easiest way to manage many of your WordPress security options.
All you do is flick the switch, and iControlWP will go off and make the necessary changes for you on each of your sites.
If you don’t have a iControlWP account, or you don’t want to sign-up for the free one (that includes these security tools as standard), then you can follow the how-to guide below.
How to enable the FORCE_SSL options within WordPress – the hard way
When you use iControlWP to set this setting, you can turn it on and off quickly.
This is useful if 99% of the time you don’t use the editor, but sometimes you want to just quickly make an edit. iControlWP can let you turn off the setting, and then re-enable it as soon as you’re done.
But, if you want to do it manually, it’s easy. Here’s how:
1. Make a backup of your wp-config.php file.
If you’re using a WordPress backup system like WorpDrive, just fire off a backup, wait until it’s completed and continue on.
2. Open up your wp-config.php file for editing.
wp-config.php from your website and open it up in your favourite text editor
3. Find the setting FORCE_SSL_LOGIN in your wp-config.php and change it to true
By default, this setting is not specified in the WordPress wp-config.php file. If you’ve never set this before, it wont be there, and you’ll have to add it yourself.
But you need to be careful where you add new configuration settings – you cannot add them to the end of the file.
A good place to do it is after the line that sets
To enable this security setting, add the following line to your wp-config.php:
define( 'FORCE_SSL_LOGIN', true );
4. Repeat step 3 but for FORCE_SSL_ADMIN
Simply do what you did for step 3, but use this line:
define( 'FORCE_SSL_ADMIN', true );
5. Replace your wp-config.php
wp-config.php file with the changes, and upload it back to your WordPress site.
Get the iControlWP Advantage Today – Free
This setting is also not a difficult security tasks, but made much easier when using iControlWP if you have many websites to manage and maintain.iControlWP lets you manage your plugins, themes, and security (and much more) across all your WordPress websites from one convenient, secure, dashboard.
And it’s free to signup. No commitments, no credit cards.
Just good WordPress management.