How to secure only wp-admin folder on my domain?

giang

Hi guys,

I got a QuickSSL, but I would like to install only my wp-admin only (the rest of the site will use http). I have found some tutorial on v2.lowendbox.com and the internet but it's not working as I expected.

Only http://mydomain.com/wp-admin will redirect to https://mydomain.com/wp-admin. It didn't work with any other url inside wp-admin (for example: wp-admin/index.php).

Here is my current nginx config:

server {
    listen  80;
    server_name domain.com www.domain.com;
    root /var/www/domain.com;
    include /etc/nginx/fastcgi_php;
    index index.php index.html;
    location / {
        if (!-e $request_filename) {
            rewrite ^(.*)$  /index.php last;
        }
    }
    location /wp-admin {
        rewrite ^/ https://$http_host$request_uri permanent;
    }
}

server {
    listen  443 ssl;
    ssl_certificate         /etc/nginx/ssl/csr.csr;
    ssl_certificate_key     /etc/nginx/ssl/csr.key;
    keepalive_timeout    60;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    
    server_name domain.com www.domain.com;
    root /var/www/domain.com;
    include /etc/nginx/fastcgi_php;
    index index.php index.html;
    location / {
        rewrite ^ http://$http_host$request_uri permanent;
    }   
    location /wp-admin {
    }
}

Thank for reading,

Giang

kiloserve

Hi Giang

Please check your wp-config.php to make sure that admin logins are via https

You should have this in there:

define('FORCE_SSL_ADMIN', true);

giang

kiloserve said: Hi Giang

Please check your wp-config.php to make sure that admin logins are via https

You should have this in there:

define('FORCE_SSL_ADMIN', true);

Thank Kiloserver, I didn't know WordPress got this feature :P

Is there any way to setup SSL on another folder (not the WordPress blog)?

drmike

Just for reference: http://codex.wordpress.org/Administration_Over_SSL

We do the ssl on wp-admin for our mu installs.

I'm always iffy about setting up another folder under a wp install as wp will catch calls to it on occasion. Is the folder currently setup and working or do you still have to do it?

I want to say it's this right before your !-e bit within location:


if (-f $request_filename) {
break
}


which appears to skip existing files. Not 100% sure as google'ing for this is a waste of time. Everything comes up with people stating "you should install nginx instead" as a solution. sigh

drmike

How do you do the green code by the way?

yomero

drmike said: How do you do the green code by the way?

< pre > code </ pre>

drmike

Thanks was using the code tag.

kiloserve

giang said: Is there any way to setup SSL on another folder (not the WordPress blog)?

With SEO tools in most scripts these days, SSL is often handled by the script. You would setup SSL for the server and the script would determine the URL (http or https).

For example, scripts like vBulletin, Joomla and Drupal all control their own URL's and you would set the SSH through them and not within your nginx config.

Xeoncross

@drmike, you can also indent your code with a tab or four spaces.

drmike

@Xeoncross Thanks. (Oh, I'm going to remember that...)

giang

drmike said: I want to say it's this right before your !-e bit within location:

if (-f $request_filename) {
     break
}

Sorry, I didn't catch what you meant. Please explain this, my english is limited

drmike

Look at the code you copied and pasted for the lines with the !-e. Try pasting that in right before it.

giang

drmike said: Look at the code you copied and pasted for the lines with the !-e. Try pasting that in right before it.

Thank you, it seems I've done it and there was no change