Index: core/admin_templates/login.tpl
===================================================================
--- core/admin_templates/login.tpl
+++ core/admin_templates/login.tpl
@@ -259,7 +259,16 @@
 			if (window.top.frames.length > 0) {
 				redirect();
 			}
+			else {
+				// Change the hostname in the URL to match the Admin Console domain when necessary.
+				var $actual_hostname = window.location.hostname,
+					$expected_hostname = (new URL('<inp2:m_AutoDomainLink no_amp="1" js_escape="1"/>')).hostname;
+
+				if ( $actual_hostname !== $expected_hostname ) {
+					window.location.hostname = $expected_hostname;
+				}
+			}
 		</script>
 	</inp2:m_if>
 
-<inp2:m_include t="incs/footer"/>
\ No newline at end of file
+<inp2:m_include t="incs/footer"/>
Index: core/kernel/application.php
===================================================================
--- core/kernel/application.php
+++ core/kernel/application.php
@@ -990,6 +990,8 @@
 		}
 		// process maintenance mode redirect: end
 
+		$this->assertDomain();
+
 		if ( defined('DEBUG_MODE') && $this->isDebugMode() && kUtil::constOn('DBG_PROFILE_MEMORY') ) {
 			$this->Debugger->appendMemoryUsage('Application before Run:');
 		}
@@ -1054,6 +1056,55 @@
 	}
 
 	/**
+	 * Don't show website when incorrect "Host" HTTP header is used.
+	 *
+	 * @return void
+	 */
+	protected function assertDomain()
+	{
+		if ( !$this->isDomainAllowed() ) {
+			header('HTTP/1.0 404 Not Found');
+
+			if ( $this->isDebugMode() ) {
+				echo '<br/><br/>';
+				echo 'The "<strong>' . PROTOCOL . SERVER_NAME . '</strong>" protocol/domain combo is not allowed.';
+			}
+
+			exit;
+		}
+	}
+
+	/**
+	 * Don't show website when incorrect "Host" HTTP header is used.
+	 *
+	 * @return boolean
+	 */
+	public function isDomainAllowed()
+	{
+		if ( $this->isCachingType(CACHING_TYPE_MEMORY) && $this->getCache($this->getDomainCheckFlagName()) ) {
+			return true;
+		}
+
+		$allowed_domain = DOMAIN;
+
+		if ( PROTOCOL === 'https://' ) {
+			$allowed_domain = $this->getSecureDomain();
+		}
+
+		return SERVER_NAME === $allowed_domain || $this->siteDomainField('DomainName') !== false;
+	}
+
+	/**
+	 * Returns domain check flag name.
+	 *
+	 * @return string
+	 */
+	public function getDomainCheckFlagName()
+	{
+		return 'ignore_domain_check_' . $this->getClientIp();
+	}
+
+	/**
 	 * Replaces current rendered template with given one.
 	 *
 	 * @param string|null $template Template.
@@ -1818,15 +1869,20 @@
 	 */
 	public function getSecureDomain()
 	{
-		$ret = $this->isAdmin ? $this->ConfigValue('AdminSSLDomain') : false;
+		// Front-End uses Admin Console SSL domain, while in the Editing Mode.
+		$admin_domain = $this->isAdmin || EDITING_MODE ? $this->ConfigValue('AdminSSLDomain') : false;
+
+		if ( $admin_domain ) {
+			return $admin_domain;
+		}
 
-		if ( !$ret ) {
-			$ssl_domain = $this->siteDomainField('SSLDomainName');
+		$site_domain = $this->siteDomainField('SSLDomainName');
 
-			return strlen($ssl_domain) ? $ssl_domain : $this->ConfigValue('SSLDomain');
+		if ( $site_domain ) {
+			return $site_domain;
 		}
 
-		return $ret;
+		return $this->ConfigValue('SSLDomain');
 	}
 
 	/**
Index: core/kernel/processors/main_processor.php
===================================================================
--- core/kernel/processors/main_processor.php
+++ core/kernel/processors/main_processor.php
@@ -158,6 +158,25 @@
 		return $ret;
 	}
 
+	/**
+	 * Builds link using the protocol-based domain (not the domain from the current URL).
+	 *
+	 * @param array $params Tag params.
+	 *
+	 * @return string
+	 */
+	protected function AutoDomainLink(array $params)
+	{
+		$params['__SSL__'] = 0;
+
+		// Only build an SSL URL when a secure domain is configured.
+		if ( PROTOCOL === 'https://' && $this->Application->getSecureDomain() ) {
+			$params['__SSL__'] = 1;
+		}
+
+		return $this->Link($params);
+	}
+
 	function Link($params)
 	{
 		// pass "m" prefix, instead of "all", that is by default on Front-End
Index: core/units/configuration/configuration_event_handler.php
===================================================================
--- core/units/configuration/configuration_event_handler.php
+++ core/units/configuration/configuration_event_handler.php
@@ -505,6 +505,29 @@
 			// keeps module and section in REQUEST to ensure, that last admin template will work
 			$event->SetRedirectParam('module', $this->Application->GetVar('module'));
 			$event->SetRedirectParam('section', $this->Application->GetVar('section'));
+
+			if ( !$this->Application->isDomainAllowed() ) {
+				/** @var UserHelper $user_helper */
+				$user_helper = $this->Application->recallObject('UserHelper');
+
+				$user_helper->event =& $event;
+				$user_helper->logoutUser();
+
+				/*
+				 * Ignore domain checks for a while to complete the domain change:
+				 * 1. finish the logout procedure:
+				 *    - delete session cookies on the incorrect domain;
+				 *    - redirect to the login form on the incorrect domain;
+				 * 2. redirect from the incorrect domain to the correct domain.
+				 */
+				if ( $this->Application->isCachingType(CACHING_TYPE_MEMORY) ) {
+					$this->Application->setCache(
+						$this->Application->getDomainCheckFlagName(),
+						true,
+						30
+					);
+				}
+			}
 		}
 
 		/**