HOW TO: Remotely connect WordPress to a database on AWS/RDS with SSL

July 4, 2021

Scenario: You need to securely connect a WordPress instance to a remote database that requires connections to be signed (ie. AWS RDS).

Remotely connecting to a database with SSL is super straightforward with database management tools like MySQL Workbench, Azure Data Studio and SequelPro. The only extra step is to download the remote database server's SSL cert and add it to your connection settings.

But what if you want to make WordPress securely connect to a remote database with an SSL cert? In general, AWS RDS instances won't even allow a connection if it isn't signed.

Technically, you actually don't even need the certificate present in the keystore of wherever your WordPress instance is running. Just pop this into the wp-config.php:

# Tell WordPress to sign connections, but don't stress on validating the cert
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );

This is neat particularly if you're running the WordPress instance on an environment you don't have root access to.

However, if you do have root access - you might want to actually setup the remote DB certificate in the keystore of the WordPress instance. On an Ubuntu machine, you would probably need to place the .crt file in /usr/local/share/ca-certificates/ and run sudo update-ca-certificates.

Then you would drop the MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT flag in the line added to wp-config.php, so it would look like this:

# Tell WordPress to sign connections
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL );

That's it! Now you can do fun stuff - like run a local version of your "live" staging site for development while keeping in sync with the remote DB or manage WooCommerce orders/tasks from your local machine without contributing to CPU load on your production server during a flash sale.