Force SSL on login pages based on wp-config

Firefox and other browsers are finally starting to take login security seriously. There’s a notice posted that a page is Not secure if it contains a password field but was loaded over HTTP. Seeing that warning makes users feel like a site isn’t properly managed, and deservedly so.

The official WordPress way is to use FORCE_SSL_ADMIN:

The constant FORCE_SSL_ADMIN can be set to true in the wp-config.php file to force all logins and all admin sessions to happen over SSL.

We use define('FORCE_SSL_ADMIN', true); in wp-config. This makes all logins be served only over HTTPS – except the Theme My Login ones.

History: There used to be a separate FORCE_SSL_LOGIN. Don’t remember for sure but TML might have adhered to that some years ago. However, its functionality was merged into FORCE_SSL_ADMIN with the rationale “providing SSL login without SSL admin areas is a false sense of security” in #10267 in 2014 and the function was deprecated in #34011 in 2015. Theme My Login deviates from this behavior by providing login pages that don’t force themselves to be HTTPS even when FORCE_SSL_ADMIN is set to true.

Could the login, registration and password reset pages be made to redirect from HTTP to HTTPS when FORCE_SSL_ADMIN is true?