Requiring WordPress admins to log in through SSL (Secure Sockets Layer) helps prevent hackers from stealing passwords. But what exactly is SSL, and how do you force it for logins?
Until 1995, data was sent across the internet in plain text. If someone ordered a product with their credit card, the account number and all other info were unprotected — open to hackers who could have sifted that data.
Technology progressed when Netscape, an early internet browser, created the SSL protocol for data encryption.
With this added protection, data intercepted by hackers only looked like a nonsensical jumble of characters instead of actual account numbers and passwords. Thus, people could order products safely online.
Just before the turning of the millennium, SSL evolved into the TLS (Transport Layer Security) encryption protocol. Nowadays, this is still widely referred to as SSL encryption, using an SSL certificate, even though nearly all SSL instances are actually employing TLS encryption.
Today, securing a site with an SSL certificate is common practice, meaning the site is accessed through HTTPS instead of HTTP.
Still, some admins may forget to use HTTP when they access a site, which compromises site security.
Forcing WordPress Admins to Use SSL
Luckily, there’s a simple way to remedy the situation on WordPress sites — to force admins to log in through SSL. This is an important step to safeguard a site, especially when multiple admins are maintaining a site.
In addition to encryption, SSL also authenticates using a process called a handshake to ensure both devices are who they are claiming to be and verify data wasn’t modified or tampered with before reaching its destination.
Site owners can enforce SSL-only logins by editing the wp-config.php file. As long your site is already hosted on a server with SSL enabled, you just need to set the following constant to true.
define('FORCE_SSL_ADMIN', true);
After that update, everyone will be required to access via SSL when logging into the WordPress site.
If you are interested in forcing SSL on your WordPress site or have any questions regarding WordPress security, feel free to contact us here at Hall.