Shared SSL in WordPress

Here’s one of the easiest solutions.

Using WordPress on a webhost with Shared SSL? As you’ve probably noticed, it’s not exactly a smooth experience. Here’s the solution.

The problem in a nutshell

When logging in to your WordPress admin panel, you’ll want to do that over HTTPS. If you’re anything like me, you didn’t pay the extra cost of getting your own IP and SSL Certificate. Instead, you just use the secure URL the web host sent you when you signed up. It looks something like https://secureXX.webhost.com/~username/, where XX is the server number at your host. This URL’s webroot lies in the public_html folder, just like your normal domain (ex: http://simen.codes). This is actually a great solution, as it gives you secure access to your site, without having to pay $450.

The problem comes when you try to set up WordPress. On which domain should you put the wp-content folder? What’s the correct WordPress address? And what about the Site URL? This took me a little while to figure out, but here’s my solution:

The manual part

First things first. If you haven’t set up your site yet, do this right in the setup wizard. If you’ve already set up your site, change these settings either in the admin panel under Settings > General, or through phpMyAdmin. For now, we want to be able to securely connect to the admin panel. Therefore, set all the addresses to your secure URLs.

And now, the magic

Now it’s time to do some trickery with the wp-config.php file. To keep things simple, I’ve put together a small plugin which generates the code block automatically, but if you really want to do it manually, here’s the code:

if ( $_SERVER["HTTP_HOST"] != "secureXX.webhost.com" ) {
    define( "WP_SITEURL", "http://yourdomain.com" );
    define( "WP_CONTENT_URL", "http://yourdomain.com/wp-content" );
} else {
    define( "WP_SITEURL", "https://secureXX.webhost.com/~username" );
    define( "WP_CONTENT_URL", "https://secureXX.webhost.com/~username/wp-content" );
}

Replace the hostnames and URLs to fit your configuration. Put it as close to the top of your wp-config.php as possible. I’ve put mine right after the opening comment. After saving, you should be able to log in using the secure address, and your users should be able to visit your site using your normal domain.

If you get a 404 from WordPress when opening the site(=not the admin panel) over HTTPS, don’t worry. This is because of the permalink structure. Just make sure the scripts and CSS files are loaded from the correct domain. If you need a secured frontend, you should buy a SSL certificate instead of reading this.

We’re getting there now. But there’s still one problem: when you add images to your posts, you use the admin panel, which means WordPress thinks the URL to your site (and the wp-content directory) is the secure one. Therefore, if you look at a post’s HTML after it’s been published you’ll see that the images still link to the secure URL. The only way around this is to replace the links. You can either do it manually, or you can install my little plugin, which does it automatically when you save your posts.

Plugin installation

The plugin comes as a single file, called shared-ssl-fixes.php.txt. Download and rename it to shared-ssl-fixes.php. Then, upload it to /wp-content/plugins/. Open your admin panel, go to the plugins page and enable Shared SSL Fixes. Configure the plugin from Settings > Shared SSL Options.

Having problems? Let me know at sb@simen.codes

One thought on “Shared SSL in WordPress

Comments are closed.