Wordpress Security

Secure your WordPress admin with a free self-signed SSL certificate

If you need to use a public wifi connection to work on your WordPress site, there are a number of ways you can protect your site from other users on the insecure connection. By default, WordPress (self-hosted version) doesn’t encrypt your password when logging in, so your login credentials are being transmitted in plain-text through whichever network you’re connected to.

One way to add a layer of protection is to connect to WordPress admin over a HTTPS connection. This can be done with or without a SSL certificate from a trusted Certificate Authority (CA). For the purpose of this post, I will explain how to do this with a free self-signed certificate instead of af paid SSL certificate from a trusted CA.

Pros:

  • more secure than standard HTTP
  • the connection from your browser to your server will be encrypted over HTTPS
  • does not require a dedicated IP address for your server that a trusted CA SSL certificate would require
  • free, there is no cost to create and use a self-signed certificate

Drawbacks:

  • although the connection is fully encrypted, without a valid SSL certificate from an official CA, the identity of the server you are connecting to cannot be confirmed, which will prompt a browser warning message to anyone trying to connect via HTTPS
  • self-signed certificates may not be supported on all hosting providers

Steps:

  1. Enable SSL on your server and install the self-signed SSL certificate, how to do this will vary depending on your hosting package. Check with your hosting provider for specific instructions.
  2. To force WordPress to use HTTPS when accessing the admin site, add this to your wp-config.php file
     define('FORCE_SSL_ADMIN', true);
  3. Log in to your your admin site (for example: http://www.yoursite.com/wp-admin). If everything is working properly, you should then see an alert letting you know that the identity of the server cannot be confirmed.
  4. This warning can be bypassed by clicking ‘Advanced’ -> Proceed to www.yoursite.com(unsafe)warning
  5. (optional) If you want to prevent the alert from appearing in the future, you can manually configure your browser to automatically trust the self-signed certificate that’s installed.
    1. To do this in Google Chrome and OSX, click the lock icon by the browser URL bar
    2. Click the “Connection” tab -> “Certificate Information”certificate
    3. You should then be presented with a popup with details about the certificate
    4. Save a copy of the certificate by dragging the image of the certificate to your desktop or any other location on Findercertificate2
    5. Double click the certificate filecertfile
    6. Click “Always Trust”certkeychain
    7. Now whenever you access the site via HTTPS, there will be no warnings and you will see a green lock icon by the address bar, just like a trusted SSL certificatecertsecured