Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Force SSL Admin

Every time you log into WordPress over plain HTTP, your password travels across the internet in plain text. Anyone on the same network — coffee shop WiFi, hotel, airport — can intercept it. This module forces all admin and login traffic over HTTPS, encrypting everything between your browser and your server.

Use Cases

  • Protect admin passwords from being intercepted on public WiFi
  • Prevent session hijacking where attackers steal your logged-in session
  • Meet PCI compliance requirements for secure admin access
  • Ensure all admin work happens over encrypted connections
  • Protect contributor and editor logins on multi-author sites

How It Works

When enabled, the module:

  1. Defines the FORCE_SSL_ADMIN constant (WordPress core setting)
  2. Automatically redirects any HTTP admin request to HTTPS
  3. Displays warnings if SSL isn’t properly configured

This is a toggle module — enable it and it works automatically.

Requires a working SSL certificate. Before enabling, make sure your site has HTTPS working. Test by visiting https://yoursite.com/wp-admin/ manually first.

Prerequisites

Before enabling this module, confirm:

  1. SSL certificate installed — Your hosting provider or a service like Let’s Encrypt
  2. HTTPS accessible — Visit https://yoursite.com and confirm it loads
  3. No mixed content warnings — Check browser console for errors
  4. Admin accessible via HTTPS — Test https://yoursite.com/wp-admin/

Verification

After enabling:

  1. Go to your WordPress login page
  2. Check the URL bar — should show https:// with a padlock icon
  3. Log in and navigate the admin area
  4. All URLs should remain HTTPS

If you see any HTTP URLs or broken padlock icons, there may be mixed content issues to resolve.

Emergency Disable

Locked out? If enabling this module causes redirect loops or access issues:

Visit your homepage (not admin) with the bypass parameter:

https://yoursite.com/?switchboard_disable_ssl=true

This automatically disables the module and redirects you to the admin area.

Important: Add the parameter to your homepage URL, not the admin URL. The bypass only works when accessed from the frontend first.

Common Issues

Redirect Loop

Symptom: Page keeps refreshing or shows “too many redirects” error.

Cause: Your site doesn’t have a working SSL certificate, or your server isn’t properly detecting HTTPS.

Fix: Use the emergency disable parameter above, then ensure SSL is properly configured before re-enabling.

Mixed Content Warnings

Symptom: Admin loads but browser shows broken padlock or warnings.

Cause: Some resources (images, scripts, stylesheets) are loading over HTTP instead of HTTPS.

Fix: This is a theme or plugin issue, not a problem with this module. Check browser console for specific URLs and update them to HTTPS.

SSL Certificate Not Trusted

Symptom: Browser shows “Your connection is not private” warning.

Cause: SSL certificate is expired, self-signed, or misconfigured.

Fix: Contact your hosting provider or renew your SSL certificate.

FAQ

Does this affect my site’s frontend?No. This module only forces HTTPS for the admin area (/wp-admin/) and login page (wp-login.php). Your frontend can still be accessed via HTTP if you haven’t set up full-site HTTPS.
Should I use this if my whole site is already HTTPS?If your entire site already forces HTTPS (through .htaccess, server config, or another plugin), this module is redundant but won’t cause issues. It provides an extra layer of assurance that admin traffic is always encrypted.
What about wp-login.php?The module protects the login page too. Any request to wp-login.php over HTTP will be redirected to HTTPS before your password is submitted.
Will this work with CloudFlare or other CDNs?Usually yes, but CDN configurations vary. If you’re using CloudFlare’s Flexible SSL (where CloudFlare connects to your server over HTTP), you may experience redirect loops. Use CloudFlare’s Full or Full (Strict) SSL mode instead.
Do I need this if I have a security plugin like Wordfence?Security plugins often have similar functionality. If you already have SSL admin forced through another plugin, you don’t need this module too. Having both enabled won’t cause problems, but it’s redundant.

Best practice: Don’t stop at admin-only HTTPS. Your entire site should use HTTPS. Many hosts offer free SSL via Let’s Encrypt. Once you have full-site HTTPS, update your WordPress Address and Site Address in Settings → General to use https://.

This module sets the WordPress FORCE_SSL_ADMIN constant. If this constant is already defined in your wp-config.php, the module respects that setting.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Change Post Type
Next
Content Exporter (CSV)