HTTPS for the Checkout Page in WordPress Ecommerce

Using this plugin Admin-SSL.
Don’t be surprised if you can’t find this plugin’s config page. It gets installed in the Plugins menu after you activate it. You can switch it to be in the Settings menu but after you find it! Yeah, yeah, yeah, I know but whatever this plugin works!

Securing the Checkout Page
Go to http://yoursite.com/your wordpress folder/wp-admin/options-general.php?page=admin-ssl-config.
Use the Additional URLs box to put in the your order/checkout page. If you aren’t using(or can’t) use permalinks your URL might look like this: ?page_id=12. Except it won’t be 12, it will be the number id that your order/checkout page is. I was so used to being able to use custom permalinks that I was a bit lost when faced with what part of the URL goes there when I came across another server that had not set up mod_rewrite properly.

You can also change the location of your shoppingcart URL to https in Ecommerce>>Settings>>Admin but you will still need this plugin to convert all the URLs to https otherwise your little lock icon will be broken and the addressbar will not turn blue or green if you have spent the big $$$ for an extended SSL. These days online shoppers are warned over and over not to submit credit card numbers on non secure websites. So even if you have purchased and installed your own private SSL certificate and your web page is secure it won’t look like it with a broken lock icon!

I tried using the https-for-wordpress plugin – but you could remove the “s” and still view the order page. Admin-SSL will redirect back to https no matter what and only yhe pages you want to use https will use https. Even though any file or link URL in the document or on the page are auto converted to https, once a site visitor follows any of these links they are redirected back to http. Https-for-wordpress also was not able to convert every link from http to https, namely some files called by plugins in the header theme file.

You can translate trust into sales so it’s a good idea to spring for a proper SSL certificate if you plan on collecting CC numbers anywhere on your site.
The author of this plugin says it can be used for Shared SSL as well.

5 thoughts on “HTTPS for the Checkout Page in WordPress Ecommerce”

  1. Odd things happened after I posted this. I went to that site’s check out page and the certificate was broken! All the links in the header were not all https. Weird. Well I had to secure some more stuff and then the problem was fixed. But I’m worried that it’s just going to go in and out like that again.

  2. I’ve bought a fixed IP and a SSL through Bluehost, but having a hard time fixing the broken SSL lock in my browser (FF3, IE 7, Chrome, etc… all broken).

    I’ve created a new page in WordPress, and pointed it to a php template I created. Essentially, all that’s in the file is my , the template name … and the word “test.”

    Piece by piece, I’m eliminating things in my header.php file, hoping that eventually, I’ll have a clear padlock, and secure page ….

    No luck so far.

    What sort of way do you troubleshoot this??

    – Bill

    1. So you can’t secure your test page with the Admin-SSL plugin? I wouldn’t eliminate stuff from header.php directly–I would install the Admin-SSL plugin and then secure the test page.

      Troubleshooting:
      If you still get a broken lock then you should view the source of your page and see all the urls that aren’t https.
      Even using your empty test template–you still have to use header.php & footer.php and these are the files that get us in trouble because of the urls with non-relative paths.Pretty much any url called by WP or a WP plugin is going to use the full path (everything from http on)
      I E:






      < ?php wp_get_archives('type=monthly&format=link'); ?>

      You could view the source of your page copy all the links, urls, etc and then give them relative paths /wordpress/directory/filename
      instead of http://www.yourdomain/wordpress/directory/filename

      With a clean install (not 45 plugins, not many code hacks, etc) Admin -SSL should be able to secure each url in the page, footer and header. And if it isn’t doing it it is most likely because the ssl plugin can’t secure urls put in the header by plugins and it’s probably just a css or Javascript file causing all the trouble!

      Make sure that < ?php wp_head(); ?> and < ?php wp_footer(); ?> are in the right places in header (wp-head) and footer (wp-footer) respectively.

      One more thing you can do is move the Google analytics code (if you have it)–it’s usual to put it in footer.php–try putting it in header.php.
      One firefox addon has helped me so much is Web Developer. I can use it to view the link information of all pages.Easier to find that one url that isn’t https and that is breaking your lock.
      I hope this was helpful.

  3. Thanks for the help, McCormicky. You’ve already been more helpful than Bluehost support.

    Tried the admin-SSL …. no go.

    You were right. In using the Web Developer plugin, I caught a few more http lines of code within my tags.

    But I seems to have more. And judging from my Page Source, they seem to be coming from

    How canI edit this?

    Here’s the link to the page I’m playing with and trying to secure:

    https://www.estrellastudios.com/web-invoice/?invoice_id=bc8934310738e45d22c30486e3bc945c

    Thanks, Bill

  4. Hi again Bill,
    My comments erased whatever it was you were trying to show me, darn it!

    No offense to Bluehost support but I am not surprised that they cannot help you. The minute they hear WP they think “Uh Oh you did something weird”!

    I went to your page and the lock was fine for me. But I viewed the source and not all the urls were https but never mind.
    Maybe you can try changing your Permalink Settings? Bluehost is a good host and for sure has mod rewrite set up correctly and so WP will auto redirect all your old linkage to the new structure so no fearing 404’s.

    /%post_id%/%postname%/ is my custom setting.

    The reasoning behind this is that Admin-SSL asks you to secure the page and ?page_id=12345678 is harder than webinvoices/12345678

    My post was all about using Admin-SSL to secure a page not necessarily how to secure a WordPress page all by yourself!

    Why? Because when you click away from the secure page Admin-SSL will kick your site back to http! I clicked away from your secure page and was still in https.

    If you trust me, email me your login info and I will see what is going on.

Comments are closed.