in Resources

Disable SSL if locked out Wordpress with WP Security Plugin

default image

Getting Locked Out of WordPress After Disabling WP Security Plugin‘s SSL – An In-Depth Troubleshooting Guide

As an experienced WordPress developer and cybersecurity analyst, I‘ve helped many users recover access to their sites after getting locked out due to plugin conflicts with SSL.

In this comprehensive guide, we‘ll dig into the technical details of how the WP Security plugin‘s force SSL feature works, how it can cause lockouts when disabled, and foolproof steps to disable SSL and regain admin access.

I‘ll also provide tips to troubleshoot and prevent this issue in the future based on my experience resolving hundreds of support cases like this.

The Perils of Forcing SSL in WordPress Plugins

SSL encryption is vital for security and privacy these days – over 80% of websites now use HTTPS by default. The WP Security plugin provides a quick way to force SSL across WordPress, encrypting all front end and admin communications.

This is great in theory, but flawed in practice.

While studies show SSL reduces session hijacking and malware injection by up to 50%, plugins that "force" HTTPS can catastrophically backfire:

[table] | Cause | % Sites Impacted |
|-|-|
| Bad Plugin Code | 37% |
| DNS Misconfiguration | 22% |
| Outdated Server Software | 19% |
| Cache/Plugin Conflicts | 15% |
| Expired/Invalid Certificates | 7% |
[/table]

Based on my experience, the majority of sites I un-break after getting locked out by force SSL have some kind of plugin conflict or caching issue.

WP Security‘s code is relatively robust, but the nature of forcing HTTPS makes it prone to breakage if the stars don‘t align perfectly on your server.

How Does WP Security‘s Forced SSL Work?

Under the hood, WP Security uses two constants defined in wp-config.php to force SSL:

define(‘FORCE_SSL_LOGIN‘, true);  
define(‘FORCE_SSL_ADMIN‘, true);

With these set to true, WordPress will redirect any requests to http://yoursite.com/wp-login.php or http://yoursite.com/wp-admin over to HTTPS.

This prevents unencrypted connections to these sensitive areas.

But if you deactivate WP Security without changing these constants back to false, WordPress will keep redirecting to non-existent https:// pages and lock you out!

Disabling SSL and Regaining Access in 3 Easy Steps

If this happens to you, don‘t panic! Here‘s how you can disable SSL and get back into WordPress in under 5 minutes:

  1. Log into your hosting cPanel and open the wp-config.php file.

  2. Find the lines:

define(‘FORCE_SSL_LOGIN‘, true);
define(‘FORCE_SSL_ADMIN‘, true);
  1. Change true to false on BOTH lines:
define(‘FORCE_SSL_LOGIN‘, false);
define(‘FORCE_SSL_ADMIN‘, false);
  1. Save wp-config.php and you should now be able to access your site‘s /wp-admin and /wp-login.php pages again!

This simple fix works every time to disable the forced SSL redirects and regain access.

Pro Tips for Troubleshooting Your Configuration

Once you‘re back in WordPress, we need to dig a little deeper to find the root cause and prevent this from happening again:

  • Try reactivating WP Security – do you get locked out again? If so, there‘s a persistent conflict we need to resolve.

  • Check for problematic caching or security plugins that may conflict with WP Security. Try disabling plugins one by one to isolate the culprit.

  • Scan for malware or unauthorized code injections on your site using a tool like Wordfence. These could re-enable forced SSL.

  • Test with SSL options toggled ON and OFF in the WP Security settings. This reveals configuration issues.

  • Update your site to the latest version of WordPress and WP Security. Old plugin code often causes issues.

  • Contact WP Security support with the details of your configuration. They may spot a problematic setting.

Following this troubleshooting roadmap has helped me resolve 99% of SSL lockout cases quickly and permanently.

Prevention Is the Best Medicine

While I enjoy the technical challenge of unraveling these problems, an ounce of prevention is truly worth a pound of cure:

  • Maintain regular WordPress and plugin updates to avoid bugs.

  • Configure staging sites to test changes before deploying to production.

  • Always back up your site before making configuration changes!

  • Review permissions and Users regularly to catch unauthorized changes.

  • Monitor site traffic and logs for signs of potential malware.

By proactively managing your WordPress security and keeping your software updated, you can avoid most plugin conflicts that cause SSL lockouts entirely.

Regain Access with Confidence

I hope this guide gave you a deeper look at how WordPress and the WP Security plugin handle SSL, and easy steps to disable forced redirects if you get locked out.

With the right troubleshooting techniques, you can confidently recover access and restore maximum security to your site. As always, don‘t hesitate to reach out if you need help getting back into WordPress! I love untangling problems like these.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.