Using amazon RDS with WordPress over SSL

Had the same question. Thankfully some other folks had proposed a reasonable solution here: https://core.trac.wordpress.org/ticket/28625. End-to-end, here's what I did to get SSL working:

1. Add the following to the wordpress wp-includes/wp-db.php file. (except the last 2 lines which are just for insertion point reference)

//ADDED per https://core.trac.wordpress.org/ticket/28625// call set_ssl if mysql client flag set and settings availableif ( $client_flags & MYSQL_CLIENT_SSL ) {    $pack = array( $this->dbh );    $call_set = false;    foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA',        'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) {        $pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null;        $call_set |= defined( $opt_key );    }    /* Now if anything was packed - unpack into the function.    * Note this doesn't check if paths exist, as per the PHP doc    * at http://www.php.net/manual/en/mysqli.ssl-set.php: "This    * function always returns TRUE value. If SSL setup is incorrect    * mysqli_real_connect() will return an error ..."    */    if ( $call_set ) { // SSL added here!        call_user_func_array( 'mysqli_ssl_set', $pack );    }}//END ADD - below is the point above which to insert thisif ( WP_DEBUG ) {    mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );

2. Customize your wordpress wp-config.php file.

Add & customize the following lines in your wp-config.php file. You can test these from development/staging as well as production if you have multiple environments.

define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL modedefine('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');

Note that there are 5 available MYSQL_SSL* settings you could use in your config, per code in #1 above. My RDS connection works via SSL with just the _CA option.

3. Sanity test that your connection is encrypted.

Add a quick test file to show whether the current Wordpress connection is using SSL or not. Create a sample file like this one called test.php, and put in your wordpress root or somewhere web accessible. Don't forget to remove this file when done testing.

<?phprequire( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php fileglobal $wpdb;$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );var_dump($row);/*If you are connected over SSL this should output something like:object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }If you are NOT connected over SSL this should output something like:object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }*/?>

4. Deploy and test your connection

Deploy your changes & test.php file to your wordpress installation, and restart your web server as needed. I'm using apache, so I run

sudo apachectl restart

For anyone one is using Redhat 7 + Apache 2.4 + PHP 7.I was facing same issue, so added below two lines into the wp-config.php as mentioned above.

define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT ); // you need this for PHP 7define('MYSQL_SSL_CA', '/var/www/BaltimoreCyberTrustRoot.crt.pem');

However was still not able to connect to DB...

So called one guy and he asked me to disable the Selinux by running following command:

setsebool -P httpd_can_network_connect_db 1

I said, dude, i already disabled SELinux why i need to run this again? He screamed to me: I DON'T KNOW, JUST RUN IT!

so i did and restarted the httpd, and it worked without changing wp-db.php... dont ask me why as i totally have no idea abpit the logic behind this neither.