WordPress 2.6 introduced a new security feature for handling SSL, however it seems to be still buggy.

By adding a simple command to your config.php file to force SSL when loging in, should force the software to use SSL. I wasn’t able to get it working, and found out that wordpress SSL implementation will still need improvements in coming releases.

Looking for a solution to this, I stumbled upon a plugin that solves the problem and even adds more flexibility to using SSL with your wordpress installation.

I would recommend you to check it out, specially if you allow visitors to register to your site.

Visitors will always use or change their password and could be working in unprotected wireless locations that can add risk to your site. This plugin is very well suited in this case.

If however you are the only user of your site and you don’t force your visitors to register to comment, then you should be able to manage without SSL.

Types of SSL:

There are private (dedicated) and shared SSL solutions.

You can get shared SSL for free if your host provides it, but I think it is not worth it.

Using shared SSL will display the url of your host and your id https://yourhost.tld/~username/wp-admin
Using a private SSL will only show your domain https://yourdomain.com/wp-admin

Adding private SSL however is not free. You will need to buy a certificate that renews yearly. Godaddy offers 256-bit standard certificates for $30 yearly. In addition you also need a static IP, and set it up on your host.

Admin SSL plugin will provide an admin interface, where you can manage the pages that you want to force SSL.

admin SSL

I would recommend you to add the login page, users and profile page, where a user will change a password.

I tested with version 1.2-rc1 of the plugin with a wordpress 2.6 installation and it works very well.

To read more and download the plugin, click here.

Regards.