If you need to use a public wifi connection to work on your WordPress site, there are a number of ways you can protect your site from other users on the insecure connection. By default, WordPress (self-hosted version) doesn’t encrypt your password when logging in, so your login credentials are being transmitted in plain-text through whichever network you’re connected to.
One way to add a layer of protection is to connect to WordPress admin over a HTTPS connection. This can be done with or without a SSL certificate from a trusted Certificate Authority (CA). For the purpose of this post, I will explain how to do this with a free self-signed certificate instead of af paid SSL certificate from a trusted CA.
- more secure than standard HTTP
- the connection from your browser to your server will be encrypted over HTTPS
- does not require a dedicated IP address for your server that a trusted CA SSL certificate would require
- free, there is no cost to create and use a self-signed certificate
- although the connection is fully encrypted, without a valid SSL certificate from an official CA, the identity of the server you are connecting to cannot be confirmed, which will prompt a browser warning message to anyone trying to connect via HTTPS
- self-signed certificates may not be supported on all hosting providers
- Enable SSL on your server and install the self-signed SSL certificate, how to do this will vary depending on your hosting package. Check with your hosting provider for specific instructions.
- To force WordPress to use HTTPS when accessing the admin site, add this to your wp-config.php file
- Log in to your your admin site (for example: http://www.yoursite.com/wp-admin). If everything is working properly, you should then see an alert letting you know that the identity of the server cannot be confirmed.
- This warning can be bypassed by clicking ‘Advanced’ -> Proceed to www.yoursite.com(unsafe)
- (optional) If you want to prevent the alert from appearing in the future, you can manually configure your browser to automatically trust the self-signed certificate that’s installed.
- To do this in Google Chrome and OSX, click the lock icon by the browser URL bar
- Click the “Connection” tab -> “Certificate Information”
- You should then be presented with a popup with details about the certificate
- Save a copy of the certificate by dragging the image of the certificate to your desktop or any other location on Finder
- Double click the certificate file
- Click “Always Trust”
- Now whenever you access the site via HTTPS, there will be no warnings and you will see a green lock icon by the address bar, just like a trusted SSL certificate