USING WORDPRESS on Linux with Apache + mod_SSL:
If you're reading this article I'm going to assume that you're operating a WordPress website on a Linux server with Apache running the module mod_ssl. It's a pretty common setup these days and at times can be downright frustrating, especially when trying to maintain at least some WordPress Security standards. Support for this setup is becomming more common amongst hosting providers but it's not always an option to lean of them. Have no fear, I'm here to solve a common upload issue with 'FORCE_SSL_ADMIN' on WordPress sites with this configuration.
Need other help with WordPress Security? Check out some of these other articles on our blog:
Also, check out our 'WordPress Security Checklist' for more help securing your site!
THINGS YOU'LL NEED IN THIS TUTORIAL:
- FTP access to your website files - we'll need to get at your website's .htaccess file during this process.
- Access to your WordPress admin (and administrator privelages to access the full "Settings" tab).
- A website running on a server with Apache. (Windows or Linux, Apache is for both. This pertains to the .htaccess file we'll modify.)
THE ROOT OF THE PROBLEM (or for you Don Henley fans "The Heart of the Matter"):
If you've secured your WordPress admin page pages and are having trouble uploading larger files you're not alone. If you've done a little research you may have already come accross solutions ranging from problems with SSL, server access issues, or general firewall issues. Maybe one of these solutions even fixed your problem, maybe not. If none of them fixed your upload issue I'd be willing to bet you the problem with WordPress force ssl admin running on Apache + mod_ssl.
The problem is actually due to something called the SSL renegotiation buffer size - or the 'SSLRenegBufferSize' directive in Apache mod_ssl. In a standard install of Apache on Linux, this directive is often undefined in the Apache config which then causes the server to use the default value of 'SSLRenegBufferSize 131072'. That's only 131072 bytes (.125 MB's!, super small) and if you're running an older version of Apache it could be even less than that. If your admin pages are running on https (over SSL) then that's going to be a problem when attempting to upload files larger than the smallest image files using this module thus, our problem. Here's how to fix it:
Step 1: Backup your website!
Every. Single. Time. People. Whenever making modifications to the configuration of your website, back it up. Back up the website files and directories as well as your WordPress database. It sounds simple but it's easy to forget. Just do it.
Step 2: download your htaccess file
- Access your website's directory using an FTP client, and locate the directory where your site files are stored.
- Find the .htaccess file and either download it, or simply right click and select 'view/edit' to open it in your default Text Editor. If you're forcing https on your whole site, it should look something like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Step 3: add new rule to your htaccess
- Now that you've opened your .htaccess in your default text editor, it's time to add the new rule. Before '# END Wordpress' hash at the end of your .htaccess file, add this piece of code
In my example I chose the buffer size of 10486000 bytes, but honestly this is up to you. There may be other security reasons to keep it smaller, but at this size you should not have any problems uploading any elements that you would normally need on a WordPress website.
Step 4: save and upload
Save an upload your final .htaccess file. Make sure you overwrite your old file and make a copy before you do, just in case something goes wrong. Your final file should look something like this:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
SSLRenegBufferSize 10486000
# END WordPress
Step 5: test uploads, both big and small
Now it's time to test big and small uploads and repeatedly do so. Since this is a renegotiation with the server you'll want to upload something, wait a minute, and try again. Upload the biggest file you'll possibly ever be uploading to your WordPress site and see if it successfully transfers. If you're good at math, you can actually find out how many MB's 10486000 bytes is and that should help you out (psst, it's 10MB!). We figure there really is never going to be a situation where you'd use the WP interface to upload anything larger so that's our cap, but it's up to you!
WordPress force ssl admin is a great tool that will secure your login page and admin dashboard, but it can be a bit frustrating. Hopefully this guide helped you remove one annoying problem.
THANKS FOR READING THIS POST ON WORDPRESS SECURITY:
Thanks for visiting our blog and reading this installment in our WordPress Security series! We hope that it helps you get your site running at peak performance with a greater level of security. If you're looking for more great WordPress security pointers check out our full blog or subscribe in the footer at the bottom of this page. Also be sure to download our "WordPress Security Checklist" and find out what you need to be doing to keep your WordPress site safte. Click the link below to download!
