Administration Over SSL

If you are concerned about the security of your WordPress powered blog, you can start using SSL, at least for the administration of your site, irrespective of where you host (on a shared hosting or on your own VPS or dedicated). It’d make sure that the password is sent over secure channel and the WordPress backend operations are done securely.

If you are on a shared hosting, you can use the shared SSL certificate. If you are hosting your site on your own, you can get a SSL certificate very easily. The cost varies from being free to a few thousand dollars depending on your needs. At least, create a certificate on your server to use it just for the WordPress administration (please don’t use this to run a web-shop).

Once you get the certificate, it’s time to configure the server to allow SSL. Just ask your webhost or your system administrator to set up this. If you are a self-learner and want to install it yourself, check out this article. Once this is done, you would be able to access the site with the HTTPS protocol.

We don’t need the visitors to use HTTPS just to see the site. Moreover, accessing the site via HTTPS is slower than the traditional HTTP. To enable WordPress administration (including logins and browsing everything in the backend), just add the following line in your wp-config.php file…

define('FORCE_SSL_ADMIN', true);

If you want to use SSL just to login (that’s when the password is sent in plain), and *not* while browsing the backend, then adding the following line should be sufficient…

define('FORCE_SSL_LOGIN', true);

Please note that, if you are going to send any other password or other sensitive information from the WP admin area, it is wise to use the first method, as everything in the WP administration happens via secured protocol.

PS: There is a plugin to do this thing (and more). :)

Ref: http://codex.wordpress.org/Administration_Over_SSL