WPMU OpenID and SSL

It’s no secret that I’m using WordPress MU for this website. It makes it very easy to keep the main site as well as my and Tati’s blogs updated. Recently I’ve been wanting to continue properly securing the blogs and added HTTPS support as well as Yubikey required logins. Once that was in place my next goal was to get OpenID integrated with the sites again. This way the blogs can be used as our OpenID identify. I also wanted to use OpenID to allow others to comment on posts. I ended up using the WordPress OpenID plugin and with a little tweaking works perfectly with WPMU.

All total setting everything up did not go as smoothly as I had hoped but it all got implemented and is working properly. The easiest part of adding HTTPS support was getting Apache configured. I’m not going to go into detail about how to use SSL with Apache mainly because there are plenty of tutorials available for this.

I ran into HTTPS problems with WordPress itself. I first read the WordPress guide for Administration Over SSL but could not get the force SSL options to work. I ended up using the rewrite rules. The rewrite rules worked fine until I tried adding OpenID. Since they rewrite the URL from HTTP to HTTPS under certain circumstances it was causing the OpenID redirects to fail. Removing the rewrite rules would made everything work. After a while I went back to trying to get the force SSL options working. What I discovered is the following options need to be toward the beginning of the wp-config.php file not the end. Putting them at the end causes them to not be loaded.

[/code lang="php"]
define(‘FORCE_SSL_ADMIN’, true);
define(‘FORCE_SSL_LOGIN’, true);
[/code]

The SSL issues didn’t end there. The OpenID plugin’s FAQ says that the following option needs to be set when using the force SSL options.

define('OPENID_SSL', true);

However, don’t set the OPENID_SSL option because it will cause OpenID logins to fail. WordPress MU (at least 3.0) will redirect to SSL for login and then redirect back just fine without OpenID needing to account for the HTTPS connection itself.

That takes care of getting SSL working getting OpenID working with SSL. However, I did have two issues with getting the OpenID plugin working.

First, I was using the Bad Behavior plugin. I say was because it causes OpenID logins to fail. For some reason Bad Behavior detects OpenID logins directed to the OpenID server that the OpenID plugin has created as attacks on the blog. I have not tried to find a way to make the two work together and instead just removed Bad Behavior. This was an easy decision because in the past few months I was using Bad Behavior it only reports stopping a very low number of attacks.

Second, the latest release of the OpenID plugin does not work properly with PHP 5.3. Luckily there is a patch to fix this. Changing the two lines makes is all that’s need to get it working.

The OpenID plugin works with WordPress MU 3.0 and works with and SSL protected logins. You need to patch OpenID if you are using PHP 5.3 and don’t set the OPENID_SSL option. Also, don’t use Bad Behavior and use WordPress’s built in SSL options instead of rewrite rules.