Goal: Use HTTPS / SSL for the Login Form only.
What I tried:
- read and followed several posts about this topic.
- tried any combination of define('FORCE_SSL_LOGIN', true); and define('FORCE_SSL_ADMIN', true);
What I found out:
- define('FORCE_SSL_LOGIN', true); does not redirect to https://.. in the html source code however the "form action" points to https://<login-url>
- in my opinion this will not encrypt the username / password
By looking deeper at the code I found the following function in wp-login.php:
// Redirect to https login if forced to use SSL
if ( force_ssl_admin() && !is_ssl() ) {
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
exit();
} else {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit();
}
}
In my understanding the redirect to https only happens if FORCE_SSL_ADMIN is set (first if statement). This works on my Server, but then the whole admin area uses SSL.
Questions
- Might this be a bug in the wp-login.php code? (if i changed the check in the if statement to force_ssl_login() I'll get redirected to the SSL Login Page with only FORCE_SSL_LOGIN turned on. hmmm.. ok this was obvious now ;-) )
- Any other ideas?
Securing the login form is very important to our setup, since we're using a corporate direcotry for user authentication via wpmu-ldap. (works great!)
Thank you very much!
-eric.