Comments on: Securing a WordPress page with https

By: John Lynn

John Lynn — Wed, 18 Aug 2010 21:11:22 +0000

Mvied,
That’s a good thing. I just handle mine with redirects and then page templates on the pages that I want to only have SSL.

By: Mvied

Mvied — Wed, 18 Aug 2010 20:05:44 +0000

No, my plugin only affects script, link (stylesheet), and img tags. If you want your entire site to be HTTPS, then change your WordPress Address and Blog Address to HTTPS in Settings > General in your WordPress admin panel.

I avoided adding this functionality for this reason. Also, WordPress 3.0 does this automatically. When pages are viewed over HTTPS, WordPress 3.0 automatically changes all internal links to HTTPS.

This functionality is not always desired, though. I’ve done some E-commerce sites that I only wanted to the checkout pages to be HTTPS, and have had to leave them at 2.9 so that WordPress does not change all my links when I don’t want it to.

By: John Lynn

John Lynn — Wed, 18 Aug 2010 16:56:51 +0000

Does it change ALL the links on the page to https? The problem with that is that if they navigate to any https:// page on the site, then when they click on nav links they’ll be navigating as http:// from then on.

By: admin

admin — Wed, 18 Aug 2010 16:54:02 +0000

Cool! I’m glad you did! Getting tired of this hack

By: Mvied

Mvied — Wed, 18 Aug 2010 16:50:50 +0000

Hey, not to steal your thunder or anything, but I've created a plugin to fix the partially encrypted errors for any Wordpress page being accessed over HTTPS. Ladies and gentlemen, Wordpress HTTPS/.

By: John Lynn

John Lynn — Mon, 12 Jul 2010 17:45:36 +0000

I got this working well. I took the approach I mentioned in my above comment. I created a specific page template for the page that I wanted to secure.

One other note, is in my specific page template, I had to have custom header and footer pages. This works those for custom header and footers:
get_footer(sslpage);
get_header(sslpage);
That will include footer-sslpage.php and header-sslpage.php

Then, in the page template I only included HTTPS links. Yes, this did mean removing much of my navigation. I might work later to try and include some minimal navigation that we’ll redirect a HTTPS page to the main page or something.

However, I don’t necessarily want them distracted by other links. I want them taking the secure action (ie. paying me money).

By: Jonathan

Jonathan — Thu, 10 Jun 2010 02:12:45 +0000

Hey, gang, I’m still unable to find a good solution to this problem: Alex’s code sets all the links in the secured page to https: but the bad news is that means if you user clicks any link on your now secure page, like the navigation menu or a button, WordPress tries to call that new page with https: not http:. Of course, IE is going to popup an error that you are trying to go with https: to a page that isn’t secure.

I thought the answer was to write in my .htaccess file a command to change any calls to https: to any page other than the one that Alex’s code is securing to switch from https: back to http:

For instance, if the page Alex’s code is securing is /apply then in .htaccess I can say if you are calling https: on port 443 and your URL doesn’t include “apply” then call with http:

RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{REQUEST_URI} ^.*\.*$
RewriteRule !^(apply)(.*)$ http://%{SERVER_NAME}%{REQUEST_URI} [L,R]

However, while this .htaccess code works fine when run by itself (it will switch any https: call back http:) whenever I install it then it causes Alex’s code to fail.

I’ve spent countless hours trying to debug this, no luck so far.

Alex’s solution would be perfect IF it not only secure one page by making all URLs in that page https: but also was smart enought if a user clicked one of those https: links to go back to using http: to get that page insecure page.

If I ever find the answer I’ll post here.

By: John Lynn

John Lynn — Wed, 09 Jun 2010 21:29:07 +0000

I’m still uncomfortable with the non-ssl page being available. Seems like the solution there is to just check if it’s that page and redirect to the ssl page. Then, it solves that issue. Plus, if somehow they get by that, on that page you just put a check to make sure it’s SSL before you display anything, no?

By: admin

admin — Wed, 09 Jun 2010 21:25:50 +0000

Yep! You can do that. Either way works – this solution allows you to keep your entire site in tact. Sometimes small plugins like weather widgets need to be removed, but overall this is a semi-automatic way of doing it.

By: John Lynn

John Lynn — Wed, 09 Jun 2010 21:23:21 +0000

Can’t you just use the .htaccess changes or the code above that redirects the page to https:// and then use a page template which only includes a simple header that matches your theme and do whatever processing from there?

Or I guess use a page template to remove a lot of the https:// navigation to prevent that issue?