Correctly force SSL on wordpress via wp-config.php

2 Views

If I edit the wp-config.php I am supposed to add: 

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

However, my website has .htaccess rules to force https and www across the entire website:

Read More
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 [OR]
RewriteCond %{HTTP_HOST} ^website.com
RewriteRule ^(.*)$ https://www.website.com/$1 [L,R=301]

I know there are other rewriterules available, but again not sure which one is correct.

Which of the following 3 should I be using in wp-config.php

1 – Without isset(), with curly brackets, with server_port

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}

2 – Without curly brackets & without server_port?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

3 – Are curly brackets needed/better or “more correct” & is server_port required?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}

I’ve found a few other slightly different variations of this all over the internet regarding wordpress SSL but I can’t figure out what one is the correct/main one…

Post Views: 2

Related posts

6 comments

  1. PHP code doesn’t have to deal with SSL at all in such case.
    Here applies classical SoC principle: if you code doesn’t explicitly work with connection (in WP it does not), you should leave protocol checking to web server.

    You should also avoid defining port in your rewrite rules. In case you’re not using multisite WP setup, you could try:

    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

  2. i used this one. which is fine to go on. 

    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
   $_SERVER['HTTPS']='on';

    if your server port is differed from 443. you can specify it . Otherwise, no need to use it once again .

  3. Corrected .htaccess rules (as detailed on wiki.apache.org):

    RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://mysslcertdomainname.com/$1 [R,L]

    Normally, your code examples (1,2,3) are not necessary with WordPress, but it looks like you have some kind of proxy based on the question.

    1. Not Good Will generate a PHP warning (standard php configuration) if HTTP_X_FORWARDED_PROTO is not set by the web server.
    2. Good Checks variable exists before checking the value. Generates no warnings.
    3. Good Best**

    ** As a general rule changing _SERVER variables (like SERVER_PORT and HTTPS) are discouraged unless you have a not-so-common setup (ie. behind proxy – which is the only reason for any of this code).

  4. If you are using docker and to avoid manual configurations (by humans) this worked for me:

    if ( getenv('ENABLE_HTTPS')  === "true" ) {
  define( 'FORCE_SSL_ADMIN', true );
  $_SERVER['HTTPS']='on';
}

    And I just need to pass a new variable ENABLE_HTTPS

    docker run -d --name wordpress -it --rm -p 80:80 
-e DB_HOST=10.10.10.10:3306 
-e DB_USER=root 
-e DB_PASSWORD=secret 
-e DB_NAME=wordpress 
-e AUTH_KEY=$RANDOM_KEY 
-e SECURE_AUTH_KEY=$RANDOM_KEY 
-e NONCE_KEY=$RANDOM_KEY 
-e LOGGED_IN_KEY=$RANDOM_KEY 
-e AUTH_SALT=$RANDOM_KEY 
-e SECURE_AUTH_SALT=$RANDOM_KEY 
-e LOGGED_IN_SALT=$RANDOM_KEY 
-e NONCE_SALT=$RANDOM_KEY 
-e WP_DEBUG=true 
-e DISABLE_WP_CRON=true 
-e ENABLE_HTTPS=true wordpress:5.7.2

  5. use this code in functions.php

    add_action('template_redirect', 'f_force_ssl');

function f_force_ssl()
{
    if (!is_ssl()) 
    {
        wp_redirect('https://' . $_SERVER['HTTP_HOST'] . 
        $_SERVER['REQUEST_URI'], 301);
        exit();
    }
}

  6. For this to work for me, I had to comment out the if statement lines surrounding the line $_SERVER['HTTPS']='on';

    I am using Zevenet CE 5.9, which does not provide the options for x-forwarded-for or x-forwarded-proto, hence to put it behind the reverse proxy we just force https on this way :).

Comments are closed.