At work, we are securing the admin panel for the multi-site WordPress installation we are running. We have 300+ sites currently and it grows every week. We are also migrating an additional 1000+ blogs from a legacy platform to WordPress so in the near future we will have close the 1400 blogs on a single multi-site installation.
Configuring WordPress for a SSL admin panel is not very difficult. In fact that was the easy part, thanks to a plugin from Mvied the hard part is getting all of the currently used plug-ins to work correctly under SSL. Making sure they are not using hard-coded schemes, the fix is easy but on a current installation that contains well over 50 plugins, I have to log into enough blogs to cover all of the installed plugins and check for any non-secure pages.
Not fun, but necessary.
I also sent patches in for the WordPress HTTPS plugin, and once I get a few free cycles(yeah, right) I’d like to help with the performance of the plugin.
There is a noticeable slow down in the admin panel when it is behind SSL, even though I am terminating the SSL on the load balancers so the WordPress servers(Ubuntu running Nginx with PHP-FPM) are not doing any of the heavy lifting with encrypting traffic. The increased traffic caused by the encrypted text is enough to cause a slow down in responsiveness, not bad but you can tell is is slower.
We have a couple of sites in production right now, with pretty good results, but we still need to verify many more plugins.
I’ll keep you posted on the results.