Ryan Boren

Queer, neurodivergent, and disabled technologist turned wannabe-sociologist resisting neuronormative domination.

SSL and Cookies in WordPress 2.6

WordPress 2.6 includes better support for visiting the admin over SSL. Part of this support involves making sure authorization cookies are delivered only over SSL-encrypted HTTPS sessions.  To accommodate this while still allowing the option of visiting the admin over plain http, 2.6 moves from a single cookie setup to a three cookie setup.

In previous releases, WP set one cookie.  This cookie was delivered to all parts of your blog over both secure SSL connections and regular, unsecured connections.  It was delivered to the front page of the blog and to the admin pages.  Delivering a cookie to the front page allows WP to display inline editing and logout links for the currently logged in user.  To properly support SSL, WP needs to be able to restrict delivery of the auth cookie to only secure SSL sessions.  If WP stuck with a single cookie and delivered it only over secure sessions, that cookie would not be delivered to the front page since most people don’t visit the front page of their blogs over SSL.  Thus, WP would be unable to display info related to the current user on the front page.

To remedy this, WordPress 2.6 sets separate “logged in” and “auth” cookies.  The logged in cookie is delivered for all pages of your blog over both SSL and non-SSL sessions.  The logged in cookie cannot be used to access the admin.  It merely indicates that a particular user is currently logged in. The logged in cookie cannot be used to make changes to the blog.

The auth cookie, on the other hand, is delivered only for the admin area and can be used to make changes to the blog.  If you login via https, your auth cookie will be delivered only for SSL sessions.  If you login over https and later visit your admin via regular http, you will have to log in again to get a non-SSL auth cookie. By default, you have the option of visiting your admin either via http or https.  If you want to force all admin sessions to be over https, add the following to your wp-config.php:

define(‘FORCE_SSL_ADMIN’, true);

This will prevent non-SSL logins to your blog. This means you will never have an auth cookie delivered in the clear.  If you want to force logins to be over SSL to prevent usernames and passwords from being sent in the clear while letting your users have the choice of using http or https when visiting the admin, add this to your wp-config.php:

define(‘FORCE_SSL_LOGIN’, true);

This does not force all cookies to be delivered over SSL.  The user has a choice between the greater security of an https session and the greater speed of an http session.  If you want to remove this choice and force secure https sessions, FORCE_SSL_ADMIN is for you.

With these new cookies comes new secret keys for signing them.  Recall that WordPress 2.5 introduced SECRET_KEY as a means of adding a little extra security to cookie signing.  If you intend to use the SSL support in 2.6, you will probably want to define the secret key for the secure cookie.  If you don’t intend to use SSL, you can stick with your existing SECRET_KEY.  Here’s an example of what the new secret key definitions look like:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

You should change those sample phrases to unique, preferably random phrases.  Each key should have a different phrase.  Visit http://api.wordpress.org/secret-key/1.1/ to get a set of random keys that you can cut-and-paste into your wp-config.php.  Once again, if you don’t intend to use SSL, you can stick with the SECRET_KEY you already have.

This should be mostly transparent to plugins and themes. I say mostly because there are some themes that send POST and AJAX requests to files within the themes directory.  The auth cookies are delivered only to the wp-admin and wp-content/plugins directories, so files directly loaded from wp-content/themes will not see the cookies.  Themes should send their POST and AJAX requests to the admin-post.php or admin-ajax.php files.  I’ve added a short article to the codex on how themes and plugins should handle their POST and AJAX requests.

Plugins might also create links that are not properly prefixed with ‘https’.  Any content loaded into a secure page must come via an https link to avoid warnings from the browser about the content being only partially encrypted.  WordPress 2.6 introduces five new functions that take care of using the proper protocol when loading CSS, JS, and other files into an SSL-encrypted admin page.  They are site_url(), admin_url(), includes_ur(), plugins_url(), and content_url().  Each accepts an optional path relative to the site, admin, include, plugins, and content urls, respectively.  For example, to link to wp-content/plugins/foo/foo.php use plugins_url(‘foo/foo.php’).  Plugins that load CSS and JS via relative links do not need to use these functions.  Relative links will automatically use the proper protocol.

If your host supports SSL, WordPress 2.6 enables you to make use of that support in a secure manner.  Enjoy, and help us make SSL support better by reporting any bugs you find.

More Posts

Posts on Stimpunks

64 responses to “SSL and Cookies in WordPress 2.6”

  1. Frédéric Avatar
    Frédéric

    nice 😀

    Reply
  2. Jan Dembowski Avatar
    Jan Dembowski

    Ryan,

    On the topic of SSL and cookies… Is there a way to define the https URL as a constant in wp-config?

    For example https://mybloghere.com/wp-admin/ works, but for a second blog running on the same host as a virtual, I’d like to use https://secondblog.com:444/ (not 443) for administration.

    This way I can bind the second SSL instance to 444 and have two separate SSL certs, root directories, etc.

    Sorry for posting here versus the forum 🙂

    Jan Dembowski

    Reply
  3. Ryan Avatar
    Ryan

    Jan Dembowski, not in 2.6 but maybe for 2.7.

    Reply
  4. WordPress 2.6 (SVN copy not latest.tar.gz) at Mostly Harmless

    […] admin works well! See Ryan’s post here. I’m using it now and it’s very seamless. It breaks Simple Tags suggested tags, but […]

    Reply
  5. Paveo Avatar
    Paveo

    That’s cool.

    Reply
  6. Ma.tt » 2.6 and Cookies

    […] 2.6 is out and it’s a really solid release, so check it out. Ryan has a good post on SSL and Cookies in WP 2.6. (0) […]

    Reply
  7. DavidTan Avatar
    DavidTan

    cool, nice feature.

    Reply
  8. Wordpress 2.6 is out. Should you upgrade. Yes! | My Blog Posts

    […] SSL and Cookies in WordPress 2.6 […]

    Reply
  9. ChaosKaizer Avatar
    ChaosKaizer

    This is the best features for 2.6, good jobs.

    Reply
  10. Wordpress 2.6 para descargar | aNieto2K

    […] Tyner un pianista de Jazz. Entre las mejoras que ya hemos comentado y la evolución del WordPress, Ryan Boren no muestra las ventajas del uso de Cookies y SSL en esta nueva versión. [Descargar] Compártelo ← ¿Necesita Meneame un rediseño más […]

    Reply
  11. Niklas’ blog » Blog Archive » WordPress 2.6 upgrade; using Wordpress Automatic Upgrade plugin

    […] WordPress 2.6 has just been released, which entails a slew of nice upgrades, e.g. post revisions, new cookie and SSL handling, bookmarklet support, Google Gears in the admin interface (yes!) and more, all covered in text […]

    Reply
  12. Neil Avatar
    Neil

    just updated 2 mins ago, thanx for all the hard work guys!

    Reply
  13. Na wenn’s schön macht… < LostFocus

    […] SSL und Cookie im neuen WordPress Post a comment | Trackback URI […]

    Reply
  14. WordPress 2.6 – Tyner | nickbohle.de

    […] Another important resource for the latest version is Ryan Boren’s article about “SSL and Cookies in WordPress 2.6”. […]

    Reply
  15. Wordpress 2.6 out with some awesome new features – Tech Tips & Tricks

    […] 2.6 security details. Posted at Jul 15, 2008 – 8:41 am by The3Ts in WordPress Tags: cookie, Security, ssl, svn, […]

    Reply
  16. BlogMaster – Disponibile WordPress 2.6

    […] Arriva con ineccepibile puntualità la versione 2.6 di WordPress, codename “Tyner” dal nome del pianista jazz McCoy Tyner. Oltre alla riparazione di quasi 200 bug, sono presenti notevoli migliorie e novità, tra le quali l’utilizzo di SSL e cookies spiegato chiaramente da Ryan Boren. […]

    Reply
  17. Wordpress 2.6 | Tyner | Aventine

    […] 2.6 Hakkında bir başka önemli kaynak ise Ryan Boren’in “SSL and Cookies in WordPress 2.6″ […]

    Reply
  18. WordPress 2.6, listo para descargar | Mangas Verdes

    […] WordPress 2.6 ya está aquí, para alegría de muchos y quebraderos de cabeza de otros tantos. Las novedades en esta nueva actualización son importantes, y la mayoría de lo más interesantes también. Entre […]

    Reply
  19. WordPress 2.6, listo para descargar | 8chapas.com

    […] 2.6 ya está aquí, para alegría de muchos y quebraderos de cabeza de otros tantos. Las novedades en esta nueva actualización son importantes, y la mayoría de lo más interesantes también. Entre […]

    Reply
  20. Planeta WordPress » WordPress 2.6, listo para descargar

    […] WordPress 2.6 ya está aquí, para alegría de muchos y quebraderos de cabeza de otros tantos. Las novedades en esta nueva actualización son importantes, y la mayoría de lo más interesantes también. Entre […]

    Reply
  21. Wordpress 2.6

    […] que si me gusto mucho en esta versión son las mejoras al soporte de SSL y las cookies en el panel administrativo de WordPress. Desde ahora es más sencillo hacer que todo el panel utilice una conexión SSL, definiendo esto en […]

    Reply
  22. WordPress 2.6 – Yoast – Tweaking Websites

    […] Update: another great post to read is Ryan Boren’s post about the security implications of the 2.6 release: SSL and Cookies in WordPress 2.6 […]

    Reply
  23. WordPress 2.6 disables remote access, swats 194 bugs | Zero Day | ZDNet.com

    […] WordPress lead developer Ryan Boren has published more details on SSL and cookie handling. […]

    Reply
  24. WordPress 2.6 Released :: geek ramblings

    […] In addition to the features I highlighted previously, Ryan has details on his blog about the improved support for SSL, and some new helper functions which will be useful for plugin and theme authors. And the official […]

    Reply
  25. Zeothrone Avatar
    Zeothrone

    Good job! Thanks for the great release.

    Reply
  26. noel alanguilan » blog archive » wordpress upgrade time. again.

    […] links: wordpress extended upgrade instructions secret key for wp-config ssl and cookies in wordpress 2.6 […]

    Reply
  27. EWD » WordPress 2.6 is out

    […] 194 bugs besides offering full SSL support in the core, and the ability to force SSL for security (new cookie setup). It also includes speed improvements and a Wiki-like tracking of […]

    Reply
  28. WordPress 2.6 | WordPress Philippines

    […] Boren discusses in depth SSL and Cookies in WordPress 2.6, which I’m sure is the first of many blog posts to tackle the new stuff under the […]

    Reply
  29. Diario a Borbo · Wordpress 2.6

    […] Ya está con nosotros WordPress 2.6, nombre en clave Tyner, que corrige más de 194 bugs y añade nuevas funcionalidades donde destacaría soporte para Gear, revisiones de posts, vista previa de themes y soporte para SSL. […]

    Reply
  30. Download Wordpress 2.6 now! |

    […] Read more about Ryan’s post on SSL and Cookies in WP 2.6. […]

    Reply
  31. WordPress 2.6: quick tips « My Weblog

    […] To take full advantage of it, everybody should enter not one but three “Secret Keys” in their wp-config.php file. More details are available on Ryan’s blog. […]

    Reply
  32. Wordpress 2.6 erschienen | wohnsilo

    […] Bulk Management für Plugins oder voller SSL Support (einen Beschrieb hierzu findet man auf Ryan Borens Blog). Eine detaillierte Liste aller neuen Features sowie ein Video in dem die neuen […]

    Reply
  33. WordPress 2.6 Upgrades — Orangescale.NET / Thomas Arie Setiawan

    […] After upgrading, I made some adjustments on the settings. For example, the Remote Publishing Settings, and let’s not forget about some other features. If you haven’t touch your wp-config.php files, there are some other settings managed from the configuration file like Post Revisions and some security definition settings. Anyway, WordPress 2.6 has full support of SSL in the core and it has the ability to force SSL for security. Read Ryan Boren’s post about SSL and Cookies in WordPress 2.6. […]

    Reply
  34. WordPress 2.6 Released For Everyone | OPENGIGA

    […] of visiting the admin over plain http, 2.6 moves from a single cookie setup to a three cookie setup read more… " […]

    Reply
  35. » WordPress 2.6 Notes MaisonBisson.com

    […] Boren posted a great overview of changes to cookies to improve security and accomodate the SSL features. In addition to paying attention to the new […]

    Reply
  36. WordPress Upgrade | SteveWebel [dot] Com

    […] few things, I thought about resetting my browser (I’m using Apple’s Safari browser.)  I had read that one of the ‘upgrades’ in v2.6 was a new way of handling “cookies&#…, by resetting Safari, I would wipe out the old cookies and get a fresh start, so to […]

    Reply
  37. Brian.Carnell.Com » Blog Archive » WordPress 2.6

    […] to turn off XML-RPC without having to use a plugin, created a post versioning system, and provided better support for accessing admin functions over SSL (including adding Google Gears to speed up the admin […]

    Reply
  38. Armchair Media / WordPress 2.6 released / 404-745-4504

    […] You can now blog from public WiFi spots without fear. WordPress 2.6 now supports SSL for both the administration panel and for logins. Without SSL encryption, your user name and password are sent to the server in clear text. That’s a security disaster waiting to happen if someone is sniffing traffic on the same network. But with WordPress 2.6, you can use SSL to log in as an administrator, and even force all logins to use SSL. […]

    Reply
  39. ø Yay, WordPress 2.6 Is Out | W-Shadow.com ø

    […] I tried (all plugins deactivated). Eventually I tried deleting cookies and that worked. Maybe the improved cookie security in WP 2.6 still needs a bit of […]

    Reply
  40. WordPress 2.6 Released | Wordpress Blog NL Hosting

    […] In addition to the features I highlighted previously, Ryan has details on his blog about the improved support for SSL, and some new helper functions which will be useful for plugin and theme authors. And the official […]

    Reply
  41. 2.6 and Cookies | Wordpress Blog NL Hosting

    […] 2.6 is out and it’s a really solid release, so check it out. Ryan has a good post on SSL and Cookies in WP 2.6. My congrats go out to the whole team for putting together the release, ahead of schedule! Update: […]

    Reply
  42. Chris Pepper Avatar
    Chris Pepper

    SSL admin sounds great, although I need it to support a different prefix for SSL URLs than for non-SSL, so I will have to stick with Admin-SSL (once it works with 2.6 again) until 2.7 or whenever built-in SSL support gets a bit more flexible.

    Can you guys put SSL into the docs? The release announcement links to wikipedia for a definition of SSL, and this blog posting is the only documentation I’ve seen, but I got here through Google — no pointers in the announcement or WP Docs.

    Reply
  43. WordPress 2.6 Released » 70 Tricks

    […] In addition to the features I highlighted previously , Ryan has details on his blog about the improved support for SSL , and some new helper functions which will be useful for plugin and theme authors. And the official […]

    Reply
  44. noel alanguilan » blog archive » wp 2.6 upgrade weirdness

    […] think this has something to do with wordpress 2.6 using three cookies instead of the usual one. doing the steps above sort of cleared the previous version’s cookie […]

    Reply
  45. Tom Avatar
    Tom

    Hi Ryan,

    I had to change the single quotation marks to straight marks (not cute or curly or whatever people call them) from the formatted ones in your post above. Then it worked.

    define(‘FORCE_SSL_LOGIN’, true);
    define(‘FORCE_SSL_ADMIN’, true);

    I have them both forced.

    Thanks for providing the information.

    Tom Usher

    Reply
  46. WordPress 2.6 Released,Update your wp-blog | Webabout.org

    […] In addition to the features I highlighted previously, Ryan has details on his blog about the improved support for SSL, and some new helper functions which will be useful for plugin and theme authors. And the official […]

    Reply
  47. Netsensei » Blog Archief » Wordpress 2.6 II

    […] is nu de oorzaak van dit probleem? Ryan Boren’s artikel SSL and Cookies in WordPress 2.6 legt het mooi uit. De beveiliging van het adminpaneel is in 2.6 verder opgedreven. […]

    Reply
  48. Phy Avatar
    Phy

    I was upgrading to 2.6 and activating some plugins after the upgrade was done, then this message appeared:

    Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 223115 bytes) in /home/ysamphyc/public_html/wp-admin/includes/plugin.php on line 4

    And I cannot log in the admin panel now. 🙁 Please help!

    Reply
  49. Tobias Avatar
    Tobias

    Hi,

    I’m trying to use SSL-encrypted admin sessions.

    Thus, I added those two mentioned define(…) lines to my wp-config.php, but when trying to open https://www.myfoosite.bar/wp-admin Firefox3 tells me in an error message that the site was sending it into an indefinite redirect loop.
    (Without the two lines I can access the page through SSL correctly, but then all links/image-srcs are still http://)

    What’s wrong here? Or aren’t those two lines not enough to enable SSL admin sessions? Do I need an extra plugin with WP 2.6 just laying out the foundation for its use?

    Thanks!
    Tobias

    Reply
  50. Jan Eric Avatar
    Jan Eric

    Ryan,

    the new SSL handling is great! Will there be support for shared SSL proxies
    (e.g. https://ssl.webpack.de/example.com)
    in the future, too?

    –Jan Eric

    Reply
  51. Wordpress 2.6 – mach ihn schön hart und mit SSL | marcO’s_br4inh4ck

    […] kommt nun endlich mit SSL Login Option daher. Ein Stück mehr Sicherheit um zu verhindern das Login und Passwort und Auth Cookie im […]

    Reply
  52. Blog upgrade and permalink change

    […] in. There’s also a good explanation of the use of cookies within this opensource software by Ryan Boren. They’ve released a short video of the changes, which as you can embed, I thought I might as […]

    Reply
  53. programmer Avatar
    programmer

    Really good job guys, really good job.

    Reply
  54. WordPress 2.6: SSL and Cookies

    […] Full Article […]

    Reply
  55. Richard Catto Avatar
    Richard Catto

    I can’t find a comprehensive list of all defines that can be made in the wp-config.php file, nor instructions on how to move wp-config.php and wp-content to new locations.

    Reply
  56. Polski WordPress 2.6 | torli

    […] nowych funkcji, na które wielu czekało od dawna. O nowych funkcjach można przeczytać na stronie Ryana lub w serwisie Weblog Tools Collection. Tak jak dla poprzeniej wersji, tak i teraz udostępniam […]

    Reply
  57. SSL for WordPress Admin and the Problem with XMLHttpRequest | Disruptive Library Technology Jester

    […] corresponds to the list of web addresses at the bottom of the document. Note! The updates to SSL handling in WordPress version 2.6 handle the problem of SSL-encrypted admin sessions in a much less hackish sort of way. It […]

    Reply
  58. Basic Thinking Blog | Secret Keys in Wordpress 2.6

    […] eintragen kann. Wozu diese dienen, beschreibt einer der Chefentwickler von WordPress in SSL and Cookies in WordPress 2.6 Artikelzusatzinfos 1. Tags: wordpress 2. weitere Artikel […]

    Reply
  59. angus Avatar
    angus

    Nice article here,
    cookies, ssl, nice job for WP developer, and your explanation awesome
    thank you :),

    Reply
  60. SSL Encrypted Logins for WordPress « htpasswd

    […] SSL and Cookies in WordPress 2.6 […]

    Reply
  61. Ben Green Avatar
    Ben Green

    Hi Ryan

    The SSL features look promising – only there are various problems, for example plugins (like WP Stats) that require non-HTTPS script files/stylesheets, and so you get a ‘partially encrypted page’.

    Also, my plugin, Admin SSL (which was originally based on your first SSL plugin, Secure Admin), allows you to use Shared SSL as well as Private SSL – WordPress 2.6 will only work with Private SSL. It also allows individual pages to be secured, and actually works when you only want wp-login.php to be secured (I just can’t get that to work on my own blog!).

    Perhaps some of these features could be included in WP 2.7? I’d be happy to liaise with you to share my hard-fought experience of wrestling with Shared SSL, and the various different features.

    Cheers

    bcg

    Reply
  62. Benedict Eastaugh Avatar
    Benedict Eastaugh

    Ben: opening a ticket on the issue tracker—preferably with a patch—is probably the best way to influence the future direction of this feature.

    Reply
  63. Geoff @ UVM – securing wordpress

    […] finally found some info about getting current verions of WordPress to use SSL for Logins and wp-admin. I have enabled the settings on both my blogs, and it appears to be working […]

    Reply
  64. Securing Wordpress using Security Keys and Salts – InMotion Hosting Support Center

    […] Ryan Boren – SSL and Cookies in WordPress 2.6 […]

    Reply

Leave a Reply to WordPress 2.6 (SVN copy not latest.tar.gz) at Mostly HarmlessCancel reply

Discover more from Ryan Boren

Subscribe now to keep reading and get access to the full archive.

Continue reading