Secure Sign-in for WPMu

Image of Bank of America Secuity Guard
Image credit: Steve Rhodes’ “Bank of America security giving me the finger during the Iraq war protest”

OK, I need some help here. I am trying to make sure everything we do on UMW Blogs is covered under SSL, and while we have the SSL certificate for UMW Blogs, we don’t have the dynamic subdomain certificate. So, in short, is there some http, .htaccess voodoo we can do that would force everyone to sign-in through the main umwblogs.org domain, which would then kick them back to the administrative backend of their own blog once they’re in? I imagine this might even work for mapped domains, and it seems similar to what wordpress.com is doing. Any hints or tips would be greatly appreciated, because I have to get this solved right quick 🙂

This entry was posted in wordpress multi-user, wpmu and tagged , , . Bookmark the permalink.

7 Responses to Secure Sign-in for WPMu

  1. Tom says:

    You’ve seen what happens when I mess with htaccess files. Good luck.

  2. John Bachir says:

    Would the certificate only be used for the authentication?

    If you try to put ssl traffic with that certificate through any subdomains, the user’s browser will refuse to make the request. But you probably knew that.

    For redirecting all authentication transactions to the top level, something like this should work:

    ServerName *.umwblogs.org
    RedirectPermanent /wp-login.php https://umwblogs.org/wp-login.php

    TransferLog /var/log/httpd/auth-redirect-access.log
    ErrorLog /var/log/httpd/auth-redirect-error.log

  3. John Bachir says:

    Formatting eaten by this devilish CMS of yours… here is a nicer version:

    http://pastie.textmate.org/505411

  4. Andre Malan says:

    I tend to avoid .htaccess files like a plague. If you @enej on Twitter he might be able to share some of the stuff that OLT has been doing (or get a hold of Brian). I know we worked on that kind of stuff, but I wasn’t involved.

    I wish Matt and his team would make some of the changes that they made to WPMU to make WordPress.com more public. There is some serious voodoo back there that sites like umwblogs could use.

  5. Reverend says:

    Hey John,
    Good to hear from you again, and thanks for the code. I am weak, I tried that but it’s locking me out of the subdomain sites. I have to check with my server admin to see what is what. I simple .htaccess redirect like this will save me much work.

    Andre,
    I couldn’t agree more, I need that voodoo something fierce, especially withe mapped domains. I want to know how they are making the sign-on secure for those folks. It would be key for us. I’ll both Brian and Enej as soon as I can.

  6. Reverend says:

    John Bachir,

    You are my hero, I think this is going to work!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.