Securing WordPress 2 Admin access with SSL
See http://jameswestby.net/blog/?p=6

-+-+-+-+-+
Based on a patch by Juergen Kreileder <jk@blackdown.de>

* Use secure authentication cookies in wp_setcookie()
* Make check_admin_referer() work with HTTPS URLs
* Use HTTPS URLs for notification mails
* Use HTTPS URLS for redirects to wp-login.php
* Disable login over XML-RPC
* Set content type for list-manipulation.php output
* Backport 'Mark-as-Spam' feature from trunk

Changelog:

2006-03-19      * Set content type for list-manipulation.php output
                * Use HTTPS for Login & Register links
                * Backport 'Mark-as-Spam' feature from trunk
2006-02-01      Updated for Wordpress 2.0.1
2006-01-22      Initial version
-+-+-+-+-+

This version defines a new setting siteurl_secure that is the URL that 
you would like to use for accessing your blog over SSL. This is then used 
for making links to login and admin pages.

It has the first 5 features from the original patch. The others are for 
different purposes. 

This patch works with the SVN of 2006-04-14. Please contact me if you have
any issues with this patch. 

In order for this to work you must add the following 3 lines to your 
wp-config.php just after require_once(ABSPATH,'wp-settings.php');
and just before ?>. Make sure that you change the hostname and paths to
reflect your setup.

wp_cache_set("siteurl_secure", "https://your-site.com/path-to-blog", "options");
#wp_cache_set("home", ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["SERVER_NAME"]."/path-to-blog", "options");
wp_cache_set("siteurl", get_settings("home"), "options");

If you uncomment the second line then once the user is on HTTPS then they stay 
there, even when viewing content that doesn't need to be encrypted. This might
work better for sites where users must log in to comment. 

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.


Also read it first to ensure it is doing what I claim it is. If 
you have a useful addition consider contacting me to 
update this version.

Posting must be done in https for tinyMCE to work (it is).

TODO - Integrate this with the options system.

James Westby <jw+blog@jameswestby.net> 
2006-04-16

Index: wp-includes/template-functions-general.php
===================================================================
--- wp-includes/template-functions-general.php	(revision 3708)
+++ wp-includes/template-functions-general.php	(working copy)
@@ -28,9 +28,9 @@
 
 function wp_loginout() {
 	if ( ! is_user_logged_in() )
-		$link = '<a href="' . get_settings('siteurl') . '/wp-login.php">' . __('Login') . '</a>';
+		$link = '<a href="' . get_settings('siteurl_secure') . '/wp-login.php">' . __('Login') . '</a>';
 	else
-		$link = '<a href="' . get_settings('siteurl') . '/wp-login.php?action=logout">' . __('Logout') . '</a>';
+		$link = '<a href="' . get_settings('siteurl_secure') . '/wp-login.php?action=logout">' . __('Logout') . '</a>';
 
 	echo apply_filters('loginout', $link);
 }
@@ -40,11 +40,11 @@
 
 	if ( ! is_user_logged_in() ) {
 		if ( get_settings('users_can_register') )
-			$link = $before . '<a href="' . get_settings('siteurl') . '/wp-register.php">' . __('Register') . '</a>' . $after;
+			$link = $before . '<a href="' . get_settings('siteurl_secure') . '/wp-register.php">' . __('Register') . '</a>' . $after;
 		else
 			$link = '';
 	} else {
-		$link = $before . '<a href="' . get_settings('siteurl') . '/wp-admin/">' . __('Site Admin') . '</a>' . $after;
+		$link = $before . '<a href="' . get_settings('siteurl_secure') . '/wp-admin/">' . __('Site Admin') . '</a>' . $after;
 	}
 
 	echo apply_filters('register', $link);
Index: wp-includes/pluggable-functions.php
===================================================================
--- wp-includes/pluggable-functions.php	(revision 3708)
+++ wp-includes/pluggable-functions.php	(working copy)
@@ -221,7 +221,7 @@
 			 (empty($_COOKIE[USER_COOKIE])) ) {
 		nocache_headers();
 
-		header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
+		header('Location: ' . get_settings('siteurl_secure') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
 		exit();
 	}
 }
@@ -229,7 +229,7 @@
 
 if ( !function_exists('check_admin_referer') ) :
 function check_admin_referer() {
-	$adminurl = strtolower(get_settings('siteurl')).'/wp-admin';
+	$adminurl = strtolower(get_settings('siteurl_secure')).'/wp-admin';
 	$referer = strtolower($_SERVER['HTTP_REFERER']);
 	if (!strstr($referer, $adminurl))
 		die(__('Sorry, you need to <a href="http://codex.wordpress.org/Enable_Sending_Referrers">enable sending referrers</a> for this feature to work.'));
@@ -300,22 +300,22 @@
 	else
 		$expire = 0;
 
-	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, 1);
+	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, 1);
 
 	if ( $cookiepath != $sitecookiepath ) {
-		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, 1);
+		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, 1);
 	}
 }
 endif;
 
 if ( !function_exists('wp_clearcookie') ) :
 function wp_clearcookie() {
-	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, 1);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, 1);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, 1);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, 1);
 }
 endif;
 
@@ -360,8 +360,8 @@
 		$subject = sprintf( __('[%1$s] Pingback: "%2$s"'), $blogname, $post->post_title );
 	}
 	$notify_message .= get_permalink($comment->comment_post_ID) . "#comments\r\n\r\n";
-	$notify_message .= sprintf( __('To delete this comment, visit: %s'), get_settings('siteurl').'/wp-admin/comment.php?action=confirmdeletecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
-	$notify_message .= sprintf( __('To mark this comment as spam, visit: %s'), get_settings('siteurl').'/wp-admin/comment.php?action=confirmdeletecomment&delete_type=spam&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
+	$notify_message .= sprintf( __('To delete this comment, visit: %s'), get_settings('siteurl_secure').'/wp-admin/comment.php?action=confirmdeletecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
+	$notify_message .= sprintf( __('To mark this comment as spam, visit: %s'), get_settings('siteurli_secure').'/wp-admin/comment.php?action=confirmdeletecomment&delete_type=spam&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
 
 	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
 
@@ -417,11 +417,11 @@
 	$notify_message .= sprintf( __('URI    : %s'), $comment->comment_author_url ) . "\r\n";
 	$notify_message .= sprintf( __('Whois  : http://ws.arin.net/cgi-bin/whois.pl?queryinput=%s'), $comment->comment_author_IP ) . "\r\n";
 	$notify_message .= __('Comment: ') . "\r\n" . $comment->comment_content . "\r\n\r\n";
-	$notify_message .= sprintf( __('To approve this comment, visit: %s'),  get_settings('siteurl').'/wp-admin/comment.php?action=mailapprovecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
-	$notify_message .= sprintf( __('To delete this comment, visit: %s'), get_settings('siteurl').'/wp-admin/comment.php?action=confirmdeletecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
-	$notify_message .= sprintf( __('To mark this comment as spam, visit: %s'), get_settings('siteurl').'/wp-admin/comment.php?action=confirmdeletecomment&delete_type=spam&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
+	$notify_message .= sprintf( __('To approve this comment, visit: %s'),  get_settings('siteurl_secure').'/wp-admin/comment.php?action=mailapprovecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
+	$notify_message .= sprintf( __('To delete this comment, visit: %s'), get_settings('siteurl_secure').'/wp-admin/comment.php?action=confirmdeletecomment&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
+	$notify_message .= sprintf( __('To mark this comment as spam, visit: %s'), get_settings('siteurl_secure').'/wp-admin/comment.php?action=confirmdeletecomment&delete_type=spam&p='.$comment->comment_post_ID."&comment=$comment_id" ) . "\r\n";
 	$notify_message .= sprintf( __('Currently %s comments are waiting for approval. Please visit the moderation panel:'), $comments_waiting ) . "\r\n";
-	$notify_message .= get_settings('siteurl') . "/wp-admin/moderation.php\r\n";
+	$notify_message .= get_settings('siteurl_secure') . "/wp-admin/moderation.php\r\n";
 
 	$subject = sprintf( __('[%1$s] Please moderate: "%2$s"'), get_settings('blogname'), $post->post_title );
 	$admin_email = get_settings('admin_email');
@@ -453,7 +453,7 @@
 
 	$message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
 	$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
-	$message .= get_settings('siteurl') . "/wp-login.php\r\n";
+	$message .= get_settings('siteurl_secure') . "/wp-login.php\r\n";
 
 	wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_settings('blogname')), $message);
 
Index: wp-login.php
===================================================================
--- wp-login.php	(revision 3708)
+++ wp-login.php	(working copy)
@@ -219,6 +219,8 @@
 	}
 	window.onload = focusit;
 	</script>
+<!--Addded for secure admin-->
+<base href="<?=get_settings('siteurl_secure') ?>">
 </head>
 <body>
 
Index: xmlrpc.php
===================================================================
--- xmlrpc.php	(revision 3708)
+++ xmlrpc.php	(working copy)
@@ -147,11 +147,11 @@
 	}
 
 	function login_pass_ok($user_login, $user_pass) {
-	  if (!user_pass_ok($user_login, $user_pass)) {
+//	  if (!user_pass_ok($user_login, $user_pass)) {
 	    $this->error = new IXR_Error(403, 'Bad login/pass combination.');
 	    return false;
-	  }
-	  return true;
+//	  }
+//	  return true;
 	}
 
 	function escape(&$array) {
Index: wp-includes/functions-post.php
===================================================================
--- wp-includes/functions-post.php	(revision 3708)
+++ wp-includes/functions-post.php	(working copy)
@@ -1033,8 +1033,8 @@
  * Places two script links in <head>: one to get tinyMCE (big), one to configure and start it (small)
  */
 function tinymce_include() {
-	$src1 = get_settings('siteurl') . '/wp-includes/js/tinymce/tiny_mce_gzip.php?ver=04122006';
-	$src2 = get_settings('siteurl') . '/wp-includes/js/tinymce/tiny_mce_config.php?ver=04122006';
+	$src1 = get_settings('siteurl_secure') . '/wp-includes/js/tinymce/tiny_mce_gzip.php?ver=04122006';
+	$src2 = get_settings('siteurl_secure') . '/wp-includes/js/tinymce/tiny_mce_config.php?ver=04122006';
 
 	echo "<script type='text/javascript' src='$src1'></script>\n";
 	echo "<script type='text/javascript' src='$src2'></script>\n";