Correctly force SSL on wordpress via wp-config.php

php wordpress .htaccess ssl https

25,341

Solution 1

PHP code doesn't have to deal with SSL at all in such case. Here applies classical SoC principle: if you code doesn't explicitly work with connection (in WP it does not), you should leave protocol checking to web server.

You should also avoid defining port in your rewrite rules. In case you're not using multisite WP setup, you could try:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Solution 2

Corrected .htaccess rules (as detailed on wiki.apache.org):

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://mysslcertdomainname.com/$1 [R,L]

Normally, your code examples (1,2,3) are not necessary with Wordpress, but it looks like you have some kind of proxy based on the question.

Not Good Will generate a PHP warning (standard php configuration) if HTTP_X_FORWARDED_PROTO is not set by the web server.
Good Checks variable exists before checking the value. Generates no warnings.
Good Best**

** As a general rule changing _SERVER variables (like SERVER_PORT and HTTPS) are discouraged unless you have a not-so-common setup (ie. behind proxy - which is the only reason for any of this code).

Solution 3

If you are using docker and to avoid manual configurations (by humans) this worked for me:

if ( getenv('ENABLE_HTTPS')  === "true" ) {
  define( 'FORCE_SSL_ADMIN', true );
  $_SERVER['HTTPS']='on';
}

And I just need to pass a new variable ENABLE_HTTPS

docker run -d --name wordpress -it --rm -p 80:80 \
-e DB_HOST=10.10.10.10:3306 \
-e DB_USER=root \
-e DB_PASSWORD=secret \
-e DB_NAME=wordpress \
-e AUTH_KEY=$RANDOM_KEY \
-e SECURE_AUTH_KEY=$RANDOM_KEY \
-e NONCE_KEY=$RANDOM_KEY \
-e LOGGED_IN_KEY=$RANDOM_KEY \
-e AUTH_SALT=$RANDOM_KEY \
-e SECURE_AUTH_SALT=$RANDOM_KEY \
-e LOGGED_IN_SALT=$RANDOM_KEY \
-e NONCE_SALT=$RANDOM_KEY \
-e WP_DEBUG=true \
-e DISABLE_WP_CRON=true \
-e ENABLE_HTTPS=true wordpress:5.7.2

25,341

Author by

Ryflex

I'm unsure what to put here :/

Updated on November 24, 2021

Comments

Ryflex over 2 years

If I edit the wp-config.php I am supposed to add:

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

However, my website has .htaccess rules to force https and www across the entire website:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 [OR]
RewriteCond %{HTTP_HOST} ^website.com
RewriteRule ^(.*)$ https://www.website.com/$1 [L,R=301]

I know there are other rewriterules available, but again not sure which one is correct.

Which of the following 3 should I be using in wp-config.php

1 - Without isset(), with curly brackets, with server_port

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}

2 - Without curly brackets & without server_port?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

3 - Are curly brackets needed/better or "more correct" & is server_port required?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}

I've found a few other slightly different variations of this all over the internet regarding wordpress SSL but I can't figure out what one is the correct/main one...