Security Stuffs

Moving WordPress to SSL Only

I moved my WordPress site to SSL only today..  Very straight forward process as it turns out.  The WordPress Codex pointed me towards the changes required in the application itself.  In your wp-config.php just throw in the following lines:

define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
       $_SERVER['HTTPS']='on';

This small piece of configuration tells the system to force all administrative things over SSL.  It also tells the system to look for a X_FORWARDED_PROTO header.  If that value contains https, then use SSL.

Since I have a BIG-IP in front of my WordPress instance, we’ll look at how to make it insert the header so everything is forced over SSL. The virtual server is built like every other SSL enabled virtual server, really nothing special at all. One exception is in the HTTP Profile associated with the VS.  This profile can be used to insert the HTTP header WordPress is looking for.

HTTP Profile SSL Offload
Find this in your HTTP Profile

With this HTTP profile attached to a virtual server that is built for SSL offload, you have an easy way of moving all WordPress traffic to SSL.