“Admin SSL 1.1 will not work with WordPress 2.6 due to the changes they have made, attempting to include their own SSL features. I have tried them, and they only work with Private SSL, you cannot secure individual URLs, and the feature that allows you only to secure the login page does not work (for me, anyway). So I’ll have to update Admin SSL to work with the new WordPress – perhaps I should ask them to include my code in 2.7!”

I don’t need the fine-grained control that Admin-SSL provides. I just need something that ensures that whenever I’m logging into the admin section or viewing admin pages it’s done over an SSL connection. After searching the web for answers I found a post by Ryan Boren on how to get the new built-in SSL support working.

If you want to force all admin sessions to be over SSL, add the following to your wp-config.php:

define('FORCE_SSL_ADMIN', true);

If you only want to force the logging-in process to be over SSL but not the rest of the admin pages then instead add this to your wp-config.php:

define('FORCE_SSL_LOGIN', true);

And in order to ensure that session cookies are truly secure you should make sure the following defines in wp-config.php are set to sufficiently random and unique values:

define('AUTH_KEY', ‘put your unique phrase here’);
define('SECURE_AUTH_KEY', ‘put your unique phrase here’);
define('LOGGED_IN_KEY', ‘put your unique phrase here’);

You can use http://api.wordpress.org/secret-key/1.1/ to obtain three unique, randomly-generated keys which you can just copy-and-paste into your wp-config.php.

This all seems surprisingly simple, but it does work. If you want more technical details then I seriously recommend reading Ryan’s post as a starter.

I’ve got to say the new administration interface is brilliant. It looks good, is layed out intelligently, and it just makes me want to use it more and more! I’m also glad that the WordPress folks decided to add full tag management. So far I’d been using SimpleTags for this job.

All in all the upgrade went smoothly except for one thing: the Admin-SSL plugin doesn’t work in Wordpess 2.5. And I’m not the only one who has noticed this. I consider this plugin to be a necessity (it’s good to be anal about security!). I might have a crack at fixing this problem myself.

Update (April 6th): Looks like I won’t need to fix Admin-SSL myself. Grab the fix from Ben Green.