I finally got fed up with not having SSL for my Wordpress instance on Webfaction and decided to rectify it today. I ran into a couple of surprises along the way that were really irritating, so once I sorted them out I figured I owed the internet an explanation so that things would be easier for anyone else wanting to do the same thing.
I'm going to assume that you already have a Webfaction account with a Wordpress instance running on it. If not, the control panel screencast is an oldie-but-goodie that'll get you started. I'm also going to assume that you're on one of the basic, shared hosting plans, and that you'll be running your secure stuff on the same box as your non-secure site. And I'm also assuming that you'll be okay using Webfaction's default SSL certificate rather than your own--this will throw warnings in many browsers, but saves you the cost of purchasing your own cert and the time required to request a private IP from Webfaction. And this only applies to Wordpress 2.6 and above. (You really should upgrade, you know.)
Create a secure site
In the Webfaction world, a single "site" can only be non-secure or secure, so you need to create a new site that will largely mirror your existing, non-secure site. To do this:
- Log into the Webfaction control panel.
- From the Domains/websites menu, pick Websites.
- Click the little green + icon at the bottom-right of the websites panel to begin creating a new site.
- Give your new site a meaningful name (I like it to be the same as the non-secure site, but with "_secure" or something similar tacked onto the end).
- Choose the same IP as the non-secure site that you're adding SSL to. Unless you are fancy enough to have multiple IPs, this shouldn't really be a choice at all.
- Check the HTTPS checkbox. (This is important.)
- Choose the same subdomains as the non-secure site that you're adding SSL to--so if your site is at
http://www.yoursite.com, you might want to make sure that you select
www.yoursite.comsubdomains so that both will be connected to this configuration.
- In the Site apps section, add your existing Wordpress instance with the same URL path that it has in your non-secure site. If you've got an app called
/blog, make sure you do the same thing here.
- Click Create.
Fix your Wordpress URL configuration
If you visit your blog now (in non-secure/http mode), depending on your browser, you might see a complete and total failure to load your stylesheets--meaning that your site is now probably fairly ugly. If you view source, you'll see that, even though you aren't loading your page from over HTTPS, Wordpress is generating HTTPS links for all your content--stylesheets, images, everything.
To fix this:
- Log into your Wordpress instance and go into the Dashboard.
- Go to the General Settings page.
- Change the WordPress address (URL) and Blog address (URL) fields to begin with
- Don't forget to Save Changes.
Now try your site on its non-secure/http link. When you view source, all your resources should be coming from URLs that start with
Update your wp-config.php
wp-config.php. Depending on what you want to do, you'll add one or the other of the following two lines.
To require only login to be secured:
To require login and admin pages (my preference) to be secured:
Log out of your Wordpress instance, then hit your login link. You should now see that your login and registration pages are served up via https links. If you chose to use
FORCE_SSL_ADMIN, you should also see
https in all of the URLs as you navigate around your Wordpress admin area.
Things should be hunky-dory now. I hope it worked out all right for you!