WordPress and Shared SSL

Over the weekend, I decided to move my website, once again, to BlueHost. DomainsMadeEasy just wasn’t cutting it. I constantly received “down” messages and when I called support, they dismissed me and refused to live up to their 99.9% SLA.

Upon migrating over, I wanted to be sure to take advantage of the shared SSL BlueHost provides in order to keep my WordPress login and admin area more secure. Little did I know, it was a bit more daunting to figure out then I expected it to be. Since it took me nearly 2 days to figure out the solution, I wanted to share it the “interwebs.”

First of all, the Admin SSL plugin that pops-up everywhere on Google when searching for using WordPress with shared SSL doesn’t work and the author seems to have stopped supporting the shared SSL functionality of it. So, that was a bust.

So, after playing around a bit, I added the following to my wp-config file, replacing USERNAME with my BlueHost user name and BLOG_DIRECTORY with the path to where I installed WordPress (note: this is specific to BlueHost):

define('WP_SITEURL', 'https://secure.bluehost.com/~USERNANAME/BLOG_DIRECTORY');

From there, I needed to insure my ‘wp-content’ folder stayed intact, so I also added the following to the wp-config file (this can be altered in the “Miscellaneous Settings” section as well):

define('WP_CONTENT_URL', 'http://blog.justinkorn.com/wp-content');

These two changes seemed to make everything work properly. When I attempt to login via wp-login.php, I am redirected to the shared SSL url and when I upload new content, everything goes to the proper place with in the wp-content directory.

The only caveat that I have seen so far is after clicking around within the admin area a few times, I receive the following message:

Too many requests received. Please wait a few minutes and try again.

Eventually the message goes away and I’m able to work again, so it’s not the end of the world, but it is a bit annoying.

In the end, however, I have a secure WordPress Admin area and I’m not shelling out the $30/yr for the dedicated IP or however much it is for the private SSL certificate. Hopefully this setup will prove to last; only time will tell.

Till next time…

Related Posts with Thumbnails
Rate this post: 1 Star2 Stars3 Stars4 Stars5 Stars
2 votes, average: 5.00 out of 5
Categorized: How Tos & Know Hows
  • Thanks for this post! I finally got it to work after futzing around with it for a while. Two points to help anyone else who has problems getting this to work:

    1. If your WordPress site is in the root directory (on BlueHost that's public_html) then omit the “/BLOG_DIRECTORY' argument that is mentioned above in the blog post. You'll end up with the following line for the wp-config file:

    define('WP_SITEURL', 'https://secure.bluehost.com/~%5Busername_without_brackets%5D');

    2. I find that if I go to my blog's “regular” wp-admin URL (e.g. http://www.myblog.com/wp-admin), WordPress tacks this onto the end of the URL: “?redirect_to=https%3A%2F%2Fwww.myblog.com%2F~[USERNAME]%2Fwp-admin%2F” The problem with this is that you end up in a loop, repeatedly going back to the login page. The manual remedy I've found for this is to delete that redirection string from the URL, hit Return, and then login. It's not elegant, but it's working fine for me.

    Thanks! This is saving me the cost of a dedicated IP address from BlueHost.

  • After trying out the shared SSL solution mentioned in this post for a while, I found that all pages load slower because secure.bluehost.com is called. Furthermore, I couldn't get this solution to work with WP-Super-Cache.

    I've noticed that you don't seem to be using SSL anymore — at least it doesn't seem like you are when I click on your Log In link. Did you give it up because it was too slow?

  • Seth,

    Yes, I removed SSL from the admin section of my site because I
    was experiencing several issues. Most particularly, the admin section of
    the site would stop loading after a few minutes. Apparently, BlueHost
    restricts the amount of bandwidth each user can use on the Shared SSL to
    something ridiculously small like 150kb (not 100% about the number).
    Needless to say, just loading the admin dashboard typically takes up more
    bandwidth than the restriction (or at least mine did) and therefore my
    Shared SSL solution quickly became useless for me.

    If you do figure out a workable solution, I'd love to hear it.

    Good Luck,

  • Thanks for that information. That explains why it's been so slow, although I know that SSL requires more overhead, slowing things down further. Like you, I spent too much time trying to get the shared SSL working right. I'm going to get rid of it and either use it unsecured or spend an extra $30/year for Bluehost's static IP. The other cost-saving factor I'm considering is using an SSL certificate from cacert.org, instead of having to pay for one. Since I'll only be using it for my own admin logins, it won't matter that the certificate will have to be manually installed in the browser, since I'll be the only one needing to do that.

  • John Byrne

    hi there
    I am probably completing missing the obvious here so really hope someone can help. Basically my wordpress domain is hosted on a fasthosts shared hosting environment with shared ssl. So – it turns out that I want to secure certain pages of the wp-ecommerce plugin. Now this plugin resides in /wp-content/plugins/wp-ecommerce/ – so does that mean I need to have an identical upload of my whole wordpress blog in my shared ssl area?
    Is there any chance of some step-by-step instructions on how to achieve ssl on certain wordpress pages without using “Admin-SSL” plugin (which doesnt work as you've said). i.e. if my users goes to my checkout cart page they will then get redirected to my shared ssl webaddress where the page also lies – then the url changes in the address bar and the user is going to get concerned?
    Seems like the only option with fasthosts is a dedicated server so I can get my own ssl domain cert.??

  • Hi,

    I'm currently setting up the same thing through Fasthosts, not done anything yet but having a crack later on, I'll let you know if I have any success. Let me know how you get on!

    • Hi,

      I have just set-up WordPress on Fasthosts securely.
      Yes, upload your WordPress directory and then when asked to create a secure folder via the Fasthosts control panel, name it wordpress (it doesn’t overwrite it).
      You can also force SSL by adding define(‘FORCE_SSL_ADMIN’, true); to the wp-config.php file.

      Happy days 😉

  • If anyone is having issues with WordPress and SSL, I am the developer of WordPress HTTPS and I’m actively trying to improve my plugin to address any and all SSL issues. I’ve solved many already, so it would be great to have more people try it out and provide feedback. Thanks!

  • Eric Capuano

    Just got Mike Ems’ plugin working on Bluehost using this blog post… Awesome write-up.. Thanks a lot.

    • Eric, did you have any issues using admin over SSL? I was also able to secure my admin on Bluehost, but had issues such as not being able to use the Text editor, not being able to use the Insert Link button in the Visual editor (clicking does nothing), and the admin flyout menus only working intermittently.

  • Matt Bingham

    I set this up with the bluehost shared ssl. Trying to get just the account and checkout process to be secure. I’m using woocommerce. Using your method made it possible to do this, but I can’t add products to the cart from the shop page. I can only add products to the cart from the individual product pages.