There are many tricks or little configuration items you can use to make your WordPress powered site more secure than it comes by the default install. One of those items is to require the login to happen over HTTPS and require that all WordPress admin traffic takes place over HTTPS as well. I personally also use a plugin called WP Block Admin to only allow users with certain credentials access to wp-admin so consider looking into that as well if you have areas of your site that are not in the admin section that require users to login like a forum or to leave comments.
Some other things to consider before forcing all logins and/or all WP admin traffic to happen over HTTPS (SSL) is if your host supports HTTPS and if you have a SSL certificate installed. You should make sure that both of these are true before you proceed with forcing any HTTPS only traffic. If you need an SSL certificate they can be purchased by clicking here.
Force Secure WordPress Login:
To force the login only to happen over HTTPS add the below configuration line to wp-config.php which is located in the root directory of your WordPress installation.
- define('FORCE_SSL_LOGIN', true);
When you edit the wp-config.php file you will notice it is full of other define statements so the line above should go near the end of the file but it doesn’t really matter exactly where. This line will only force HTTPS for logging into your WordPress site.
Force Secure WP Login & Secure WP Admin Traffic:
The other option you can add which will force the login to happen over HTTPS like the above statement as well as require all traffic to /wp-admin/ to be secure as well is below.
- define('FORCE_SSL_ADMIN', true);
If you want all of the admin traffic to be secure use this second define line which will also require the login to your site to happen over HTTPS. If you do end up using the second option then you do not need to use the first define statement. Only use the first define PHP statement if you only want the login to be SSL and are not going to require it for all /wp-admin traffic.