I got bored so I learned how to setup HTTPS on the admin parts of my WordPress blog. At first I was generating self-signed certificates because I read that buying a third-party verified certificate could cost upwards of $100 per year.

Then I saw this Ars article on getting a legit one for free.

After enabling mod_ssl on Apache and following the Ars guide above, I was ready to secure the admin parts of WordPress. The general idea is to:

1. Set up two virtual hosts with the same url (the blog url), one secure, the other not. 2. On the secure virtual host, set up a rewrite rule that shuttles all non-wp-admin traffic to the insecure site. 3. On the insecure virtual host, set up a rewrite rule that shuttles all traffic to wp-admin to the secure host. 4. Put in a filter (via a plugin) that filters the links in wp-admin so that once activated, administrative links are rewritten to use https and that edits cookies to work only over encrypted connections.

For the insecure virtual host:

1
2
3
4
5
6
7
8
9
10
11
12

<VirtualHost *:80>
    ServerAdmin david@davidxia.com
    ServerName davidxia.com
    ServerAlias davidxia.com, www.davidxia.com

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </IfModule>
    ...
</VirtualHost>

For the secure virtual host:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<VirtualHost *:443>
    ServerName www.davidxia.com
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule !^/wordpress/wp-(admin|login|register|content|includes)(.*) - [C]
        RewriteRule ^(.*)$ http://%{SERVER_NAME}$1 [L]
    </IfModule>

    SSLEngine on
    SSLCertificateFile /path/so/SSLCertificateFile.crt
    SSLCertificateKeyFile /path/to/SSLCertificateKeyFile.key
    SSLCertificateChainFile /path/to/sub.class1.server.ca.pem.cer
    ...
</VirtualHost>

Now I can finally see a nice green lock symbol in Google Chrome.