So you have your SSL certificate installed on your WordPress blog, but don’t want the whole site to work with ssl. You just want to ensure and only force a secure connection to the WordPress login page and admin pages. Here’s a quick tip to configure login page and admin pages to force a secure connection.
WordPress has two configuration constants that can be defined to either force SSL logins, or force all logins and whole admin area to be accessed only via https (encrypted). In order to get it to work just add the following codes to your wp-config.php:
Force SSL for logins:
define('FORCE_SSL_LOGIN', true);
Force SSL for logins and admin area:
define('FORCE_SSL_ADMIN', true);
Redirecting HTTPS requests for non-SSL pages back to HTTP
If you want to redirect visitors to the non-SSL site (http), and only allow SSL logins and SSL admin. An easy way to always redirect the visitors to non-secure connection can be accomplished with a .htaccess file containing the following lines:
# Externally redirect HTTPS requests for non-SSL pages back to HTTP.
RewriteCond %{ENV:HTTPS} on [NC]
RewriteRule !^wp-(admin/|login.php|includes/|content/)(.*)$ http://www.yoursite.com%{REQUEST_URI} [R=301,L]
Since the WordPress login and administration interface uses files from the wp-includes and wp-contents directories, they need to be excluded from the RewriteRule.
Warning
When editing or modifying the .htaccess file of your WordPress blog, make sure to always have a backup that you can restore in case of something went wrong.