Title: [Plugin: WordPress HTTPS (SSL)] Force SSL for Authenticated Users
Last modified: August 20, 2016

---

# [Plugin: WordPress HTTPS (SSL)] Force SSL for Authenticated Users

 *  [fommil](https://wordpress.org/support/users/fommil/)
 * (@fommil)
 * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-wordpress-https-ssl-force-ssl-for-authenticated-users/)
 * Hi,
 * I use the HTTP AUTH plugin to authenticate users and I ensure that this is only
   ever done over SSL (in my Apache conf files)
 * However, WordPress then sets an “auth cookie” on the users browser which is used
   to authenticate the user for 2 weeks. The user can easily swap to HTTP mode and
   therefore an attacker could snoop the auth cookie and obtain login rights for
   that time period. IMHO, this is a fairly big security hole in WordPress in general(
   even for the default authentication mechanism).
 * Could you please support an option in your plugin (or let me know a simple way
   how to implement it myself) so that WordPress only requests the auth cookie when
   the user is using HTTPS? (BTW, I do need to keep the HTTP version of the site
   up for normal visitors)
 * Regards, Sam
 * [http://wordpress.org/extend/plugins/wordpress-https/](http://wordpress.org/extend/plugins/wordpress-https/)

Viewing 1 replies (of 1 total)

 *  Thread Starter [fommil](https://wordpress.org/support/users/fommil/)
 * (@fommil)
 * [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-wordpress-https-ssl-force-ssl-for-authenticated-users/#post-2515760)
 * (I just realised that the title is perhaps misleading – it should be: “Only Authenticate
   SSL Users”)
 * PS: I’m not 100% sure about how it works, but I am assuming that the client will
   only send the cookie if requested to do so. If this assumption is false, then
   the better solution would be that the cookie is constructed in such a way that
   the client only sends the auth cookie when using SSL.

Viewing 1 replies (of 1 total)

The topic ‘[Plugin: WordPress HTTPS (SSL)] Force SSL for Authenticated Users’ is
closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wordpress-https_bec2c9.svg)
 * [WordPress HTTPS (SSL)](https://wordpress.org/plugins/wordpress-https/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordpress-https/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordpress-https/)
 * [Active Topics](https://wordpress.org/support/plugin/wordpress-https/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordpress-https/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordpress-https/reviews/)

 * 1 reply
 * 1 participant
 * Last reply from: [fommil](https://wordpress.org/support/users/fommil/)
 * Last activity: [14 years, 4 months ago](https://wordpress.org/support/topic/plugin-wordpress-https-ssl-force-ssl-for-authenticated-users/#post-2515760)
 * Status: not resolved