Today I upgraded my blogs to Wordpress 2.1, since I hadn't updated them in a little while and I didn't find the time until today.
While the upgrade worked well (and it apparently comes with quite a few MySQL optimizations and other neat features), I realized that my admin pages which I serve via HTTPS now had a "broken key" symbol: All URLs inside the page source code were unencrypted HTTP now, probably because they are now not build relatively to the page URL anymore. Bad side effect: I couldn't upload any files for blog posts anymore since my login cookie didn't work for HTTP (which is not a bug but a feature, obviously ;)).
At first I tried to change the "wordpress URL" in the options to https://... which worked, but that ended up also serving the CSS files and feeds and such on the public page as HTTPS -- leading to unnecessary stress on my little server and, much worse, to a certificate warning for every one of my users who happens not to have imported the CACert root certificate (which, quite frankly, is almost everyone).
After a little research however I found the Wordpress Secure Admin Plugin which is infinitely easy to install and does exactly what it should: It makes sure all URLs in the admin interface are HTTPSed, re-enabling me to log into my blog encryptedly. It also encrypts the login cookie now, reducing the risk of session hijacking.
Another Wordpress plugin on my "must have" list.
(lock picture source: CC by-nd licensed by mfshadow on flickr)
Read more…