Enable SSL mysql database connections for your wordpress installation
Update:
Add the following to wp-config.php to enable SSL in Wordpress 3.6+
define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL);
Then run a tcpdump on your box to confirm that it is connecting via SSL.
Original dive into the wordpress code follows
Something that always annoys me is the quality of wordpress. But sadly of course we all keep selling it, and they’ll keep patching holes. I couldn’t find an authoritative answer originally on how you would enable SSL on your wordpress blog/site so lucky that its open source!
After delving into the wordpress code structure for not my first time, as I’ve been trying to hack away at, I saw that we are defining client_flags, and then if the variable ‘MYSQL_CLIENT_FLAGS’ is defined, we assign the value to client_flags, else we assign it to 0.
Lets change that :P
Dirty Fix:
For those people who want the answer already, just edit line 1139 in wp-db.php. ( in v3.6.x)
File Location: <www dir>/wordpress/wp-includes/wp-db.php
From:
$client_flags = defined( 'MYSQL_CLIENT_FLAGS' ) ? MYSQL_CLIENT_FLAGS : 0;
To:
$client_flags = defined( 'MYSQL_CLIENT_FLAGS' ) ? MYSQL_CLIENT_FLAGS : MYSQL_CLIENT_SSL;
Also make sure the variable $client_flags is being referenced in the same function, db_connect()
.
The following was taken out of my wp-db.php file, which successfully connect to an Amazon RDS Instance over an encrypted SSL session.
function db_connect() {
--SNIP--
if ( WP_DEBUG ) {
$this->dbh = mysql_connect( $this->dbhost, $this->dbuser, $this->dbpassword, $new_link, $client_flags );
} else {
$this->dbh = @mysql_connect( $this->dbhost, $this->dbuser, $this->dbpassword, $new_link, $client_flags );
}
--SNIP--
“Real” Fix:
Note: I would never recommend changing any wordpress core files (in a production environment), please just change the wp-config.php file
SO! Anyone realized what I may have done wrong?
That the test on ‘MYSQL_CLIENT_FLAGS’ will always return 0 as long as we never add MYSQL_CLIENT_SSL
to our wp-config.php
. Although this would be an okay solution, as we would make sure that it always used SSL no-matter what. Including un-authenticated users clients editing their wp-config files).
I proposed this patch on the wp-trac site, but was immediately shutdown as I now realise its just a hack, and should never really be put into production.
wp-config.php
33,36d32
+ /** Database SSL Settings */
+ define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);
+ define('NEWLINK', true );
wp-includes/load.php
334c334
+ $wpdb = new wpdb( DB_USER, DB_PASSWORD, DB_NAME, DB_HOST, NEWLINK, MYSQL_CLIENT_FLAGS );
wp-includes/wp-db.php
479,495d478
+ /**
+ * Database Client Flags
+ *
+ * @since 3.6.x
+ * @access protected
+ * @var string
+ */
+ protected $client_flags;
+
+ /**
+ * Database Client Flags
+ *
+ * @since 3.6.x
+ * @access protected
+ * @var string
+ */
+ protected $new_link;
544c536
+ function __construct( $dbuser, $dbpassword, $dbname, $dbhost, $new_link, $client_flags ) {
556,558c548
+
+ $this->new_link = $new_link;
+ $this->client_flags = $client_flags;
1163c1152
+ $this->dbh = mysql_connect( $this->dbhost, $this->dbuser, $this->dbpassword, $this->new_link, $this->client_flags );
1165c1154
+ $this->dbh = mysql_connect( $this->dbhost, $this->dbuser, $this->dbpassword, $this->new_link, $this->client_flags );
Just a thought… and a solution (apparently). I got a little carried away with this one. What I also found, is that this is a very similar patch to that was accepted some 8+ months ago on the wordpress trac site. But apparently just got put to the wayside.
I wanted SSL encrypted database connections! And now I have it.