Note: FORCE_SSL_LOGIN was deprecated in Version 4.0. Please use FORCE_SSL_ADMIN.

To Force SSL Logins and SSL Admin Access

The constant FORCE_SSL_ADMIN can be set to true in the wp-config.php file to force all logins and all admin sessions to happen over SSL.

Example

  define('FORCE_SSL_ADMIN', true);

Note: FORCE_SSL_ADMIN should be set before wp-settings.php is required.

Using a Reverse Proxy

If WordPress is hosted behind a reverse proxy that provides SSL, but is hosted itself without SSL, these options will initially send any requests into an infinite redirect loop. To avoid this, you may configure WordPress to recognize the HTTP_X_FORWARDED_PROTO header (assuming you have properly configured the reverse proxy to set that header).

Example

define('FORCE_SSL_ADMIN', true);
// in some setups HTTP_X_FORWARDED_PROTO might contain 
// a comma-separated list e.g. http,https
// so check for https existence
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
    $_SERVER['HTTPS']='on';

You can also indicate the following line in the .htaccess file (before anything else) :

SetEnvIf X-Forwarded-Proto https HTTPS

For those who don't exactly know how their hoster configured the server, you can recognize this situation by infinite 302 redirections on the login page, leading to an error message saying that the page is not correctly redirected.