Peter Bishop

I solved my problem by setting FORCE_SSL_ADMIN to true in the wp-config.php file.
The documentation page Administration over SSL explains the need for and how to set this variable.

The only thing I am suggesting is to add a link from the HTTPS for WordPress documentation page to the Administration over SSL documentation page.

Just as the WordPress admin functions make it appear to the naive WordPress user that they do not need to edit any of the files on their server, so GoDaddy has a similar goal. GoDaddy has an automated script for installing WordPress on a GoDaddy hosted site that enables HTTP and HTTPS for all pages. They charge extra for an SSL certificate, however. Once you buy an SSL certificate for your domain, however, they install it for you, so I did not need any of the instructions on the HTTPS for WordPress documentation page.

My problem was that after the SSL certificate was installed on my GoDaddy website, WordPress did not automatically force use of SSL when logging in or when performing admin functions. Thus, since GoDaddy installs WordPress using the not recommended technique of enabling all pages for both HTTP and HTTPS, it was still possible to access wp-login.php via HTTP.

I did not quite realize that, if I simply used wp-login.php via HTTPS, which was now possible, that most of my problem would be solved.
Now that I have set FORCE_SSL_ADMIN, however, when I try to use wp-login.php over HTTP, it immediately switches to HTTPS.

Thus, presumably the problem with the documentation in the HTTPS for WordPress page is that it assumed that you had already set Apache to require use of wp-login.php over HTTPS and not HTTP. I am beginning to realize that the FORCE_SSL_ADMIN flag in the wp-config.php file was designed to significantly reduce the damage if all pages were enabled for both HTTP and HTTPS. It is possible that if this flag is set, then it is perfectly fine to make all pages accessible to both HTTP and HTTPS.

The change I am proposing is a change to the documentation for the HTTPS for WordPress page so it at least links to the Administration over SSL page.

In my mind, the goal of minimizing the need for WordPress site admins to edit any of the files on the server is a good goal. Although I, at one time, did quite a bit of editing Apache config files, it has been many years since I did this. I remember it being a rather error-prone task, not unlike the error-prone tasks throughout much of a programmer’s life. It was vastly easier than programming in assembly language, however, which was how I was introduced to the programming profession.

An additional suggestion I have for WordPress documentation is to clearly identify which files on the server need to be edited and which ones will be “taken care of” by the WordPress DashBoard. Once I know which files may need to be edited, I can start thinking about which languages I need to learn, although it is pretty obvious that php and CSS are both needed. If I can find templates and add-ins that do what I need, however, I may not need to program in either php or CSS. I think the WordPress project should be commended for how well the goal of editing all files through the Dashboard has been met. If this goal is to be abandoned when installing SSL certificates, then at least link to the page that explicitly says how to edit the file that needs to be edited to make the SSL certificate do what almost everyone wants it to do.