SSL and multisite subdomains

That’s kind of how basic SSL certs work, I’m afraid :/

There are ways around it, but you’ll have to study up on SSL. It’s a problem outside of WP, as I have it on other accounts too.

I guess that’s kind of my question. I think I would like to force everyone to log in at https://example.com/wp-login.php (regardless of what subdomain they’re starting from) and not have WP send them to https://subdomain.example.com/wp-login.php. Every user can log in at any wp-login.php screen on the site, so I don’t quite see the point of having WP specify the subdomain in the URL. I feel like this is probably possible using mod_rewrite or possibly a simple plug-in, but I haven’t been able to find anything.

You can’t do that quite how you’re thinking. I mean, you can do an .htaccess redirect for it, but that won’t solve the problem, since the admin sections for each site are per subdomain.

If you did subfolders instead of subdomains, you’d be fine, but servers treat subdomains as separate domains, basically :/ at least on a security level

Wouldn’t it work for the login screen itself though? Although admin pages over SSL would be nice, I’m really only concerned about logging in (i.e. FORCE_SSL_LOGIN not FORCE_SSL_ADMIN). And I can log in at https://example.com/wp-login.php with my subdomain user’s credentials. After that, WP can push the user to non-SSL admin pages under any subdomain it wants, and I don’t really care too much.

Then you can try it. It may work. But yes, if you login at the main domain, you will be logged in for ALL subdomains, so try redirecting the WP-login page via .htaccess.

For anyone who finds this in the future, I finally did get it set up. It looks like if you define FORCE_SSL_LOGIN in wp-config.php it will work, even on a multisite (network). Although you are prompted to log in and out at https://subdomain.example.com/wp-login.php, if you view the source the login form is submitted to https://example.com/wp-login.php via SSL connection. There is no need for htaccess redirects and all that. WordPress does it all perfectly behind the scenes. Thanks WP. It’ll teach me to think twice about trying to solve a problem before I know I have one ??

And also, FORCE_SSL_ADMIN would be nice, but I don’t want to pay that much for a Wildcard Subdomain SSL certificate. I never did try doing htaccess redirects for it, but I don’t think it would work. If you enable FORCE_SSL_ADMIN with a single-site SSL certificate, you’ll get SSL errors when viewing https://subdomain.example.com/wp-admin/

Right… took me a day to figure it out, too – If you’re using a subdomain install, the respective dashboards for all of the WP sites are being served by the one instance of WP. The other subdomains (i.e. https://sub1.main.com/wp-admin) will also work – BUT your browser will first complain that the cert is for the wrong site. I just made an exception so that my browser will save that exception and continue on… Of course this is not very elegant if you’re a WP hoster, but if it’s just for your own sites, it works just fine. I’m running an instance like how I’ve mentioned.