Using SSL (actually TSL), to log into the WordPress administration zone is nearly a must these days, and it is possible to tell WordPress to always redirect to the HTTPS version of the wp-admin URL.
To do so, the following lines have to be added to the wp-config.php file:
// Force HTTPS for the login page define(‘FORCE_SSL_LOGIN’, true); // Force HTTPS for the admininistration pages define(‘FORCE_SSL_ADMIN’, true);
Adding these lines fixes, as very nice side-effect, the nuisance of WordPress always switching back to clear-text HTTP when editing a post via a HTTPS login.
Speaking of wp-admin… Another must-have protection is to change the administration login URL to something different that the well-known name.
It totally eludes me why this is not part of the default WordPress options. But it’s not and we need to use a plugin to make this happen. An example would be “All-In-One-WP-Security”, but there might be others…