• Dec.
  • 01.
  • 2009

Securing a WordPress Page with SSL

Oh, this again?
Yes, this again. You know its important so just be patient with me. In fact, not much is more important when running an online shop than making sure the page where folks will be submitting their credit card numbers is secure.
The 1st thing to do is check if your host sells SSL Certificates. Bluehost and Hostmonster as well as many others not only sell you an SSL certificate they also install it for you. You may need to purchase a Dedicated IP Address as well. The costs are negligible considering having this security will translate into more sales. So cough up some $ for overhead, will you.

If you run an online shop and use WordPress you probably also use WP-E-Commerce. So after you have bought the SSL Certificate go to Products>>Settings>>Admin.
Find this: “The location of the shopping cart: ” In the text field next to this line of text will be a URL that starts with http. Add an “s” to the end of http. Click Update.

Install HTTPS FOR WORDPRESS plugin. Activate.

So here comes the tedious bit. Go to the check out page of your shop. Does the addressbar turn blue? Does the lock icon in the lower right hand of your desktop remain unbroken?
You are all set.
**Sorry, this info is completely Firefox-centric ( dear, dear Firefox…). Ahem. OK, In Safari nothing happens to the addressbar and there is no lock icon in the lower right hand of the location bar unless you have paid a lot of money for an extended validation certificate and then chances are you are not using it on a wp-e-commerce shop. If you use the lower cost certificate just be happy that you get to the secure page without Safari yelling at you that it is not using a valid certificate.

If there is no blue addressbar(Firefox) or Internet Explorer tells you the page contains secure and insecure items and then asks you if you want to show the insecure items,
we will have to view the source of our page. We’re looking for any URL that isn’t https. For me it was the stylesheet of the NextGen Gallery plugin, the stylesheet for the WP-Slimbox2 plugin and its .JS files and the Sociable stylesheet. You can copy the links and paste them into a text file to save for later.

So what I did next was turn off the stylesheet for the Sociable plugin (you can do this on its Options page) and wrote my own style and put it in my main theme stylesheet. One less URL to worry about. Then I went to Plugins>>Editor and I brought up NextGen to edit. I commented out everything to do with loading the stylesheet for the Gallery Plugin like this :

function load_styles() {
		
		// check first the theme folder for a nggallery.css
		//if ( nggGallery::get_theme_css_file() )
			//wp_enqueue_style('NextGEN', nggGallery::get_theme_css_file() , false, '1.0.0', 'screen'); 
		//else if ($this->options['activateCSS'])
			//wp_enqueue_style('NextGEN', NGGALLERY_URLPATH.'css/'.$this->options['CSSfile'], false, '1.0.0', 'screen'); 

Then I pasted the link into my header.php file like this ( a good place is right after the link to your theme stylesheet) :

<link rel='stylesheet' id='NextGEN-css'  href='/wp-content/plugins/nextgen-gallery/css/nggallery.css?ver=1.0.0' type='text/css' media='screen' />

And now there was one more less URL to worry about.

Next I opened WP-Slimbox2 in the Plugin Editor. I found this:

echo '<script type='text/javascript' src='/blog/wp-content/plugins/wp-slimbox2/javascript/slimbox2.js?ver=2.02'></script>';
		if($options->get_option('resizeEasing') != 'swing') wp_enqueue_script('jquery_easing');
		//wp_enqueue_script('slimbox2_autoload');

Where it says echo I deleted the link. Then it just read:

echo ''></script>';
		if($options->get_option('resizeEasing') != 'swing') wp_enqueue_script('jquery_easing');
		//wp_enqueue_script('slimbox2_autoload');

I pasted the link to the script into my header.php before the < / head> tag.

<script type='text/javascript' src='/blog/wp-content/plugins/wp-slimbox2/javascript/slimbox2.js?ver=2.02'></script>

**Seems like WP-Slimbox2 doesn’t do anything if used with the wp-e-commerce plugin. Its a javascript conflict, I guess.

So that was the hard part. Then I went back to the check out page and refreshed the page. The addressbar stayed blue and the lock icon did not break.
Out of 13 active plugins, 3 had calls to scripts or stylesheets in header.php that were not made https. That’s pretty lucky. You may have many more plugins to edit before your page will remain secure. Hopefully even though this is tedious it will be worth it to be able to have a secure page.

Admin SSL/HTTPS for WP
I used to recommend the Admin SSL plugin for WP. Because it used to turn all links to https and if you clicked away from the secure page it used to redirect back to regular http.
Well, it doesn’t seem to working that well anymore and it can cause a bit of a headache if you de activate it then re activate it depending on your host environment/settings. I’m talking about those endless redirection loops errors that rendered your website inoperable. They were fun. So on one side we have kind of a heavy duty plugin that can render your site useless but that doesn’t do what we need it to do. And on the other side we have a plugin that doesn’t quite do everything we need it to do (transform all links to https)
but will not adversely effect your website. *HTTPS for WORDPRESS didn’t used to be able to redirect back to regular http if you clicked away from the secure page. Now it does.

*This is still true, unfortunately. The plugin cannot redirect links out of SSL. My 1st writings were based on results from only one site – a mistake to make assumptions based on only one site.

After testing on 2 other websites I’ve concluded that the 1st site is the exception, not the rule.

A workaround is to make sure that at least the home link (which is usually added in a theme above the page menu function) or any other links for navigation, like in the sidebar, if you’re not using the wp page menu function, use full paths for links: i.e.: http://www.domain.com/ instead of /page. So that if someone chooses not to check out or send the form and clicks another link to leave the page that link will be http. That’s a definite way to get out of SSL. My further tests showed me I don’t have to make all links use https. Just CSS JS and images need to use https for the browser to show the secure page is ok.

This seems to be ok with at least Firefox,will test in IE. I had tested in IE but not with full path linkage in my menus.

But it still doesn’t cause any problems if you deactivate it. So it gets my current vote.

Note:
If you ever upgrade any of the plugins you edited you’ll have to do this all over again. So save copies of the files you edited so you can find where to edit more easily.
Of course you could say that neither plugin really “works” because you have to do stuff like this to get them to secure a page. But that’s life.

This entry was posted in Technical Blog, WP Ecommerce and tagged , , . Bookmark the permalink.

4 Responses to Securing a WordPress Page with SSL

  1. Karen wrote:

    Have you ever been able to force SSL on only one page in a WordPress site? We have a donations page that needs SSL but do not want SSL on the rest of the site.

    • mccormicky wrote:

      Yes, I have been able to secure just one WordPress page-but if you read this post you’ll see it takes a bit of work-especially if you use plugins whose javascript and css files don’t get switched to https:// in your wordpress theme header.php or footer.php. Plugins files are the number 1 reason I’ve ever had a problem securing a WordPress page. All JavaScript and css files must be linked to with https:// not http:// or the secure page will throw a warning that the page contains secure and insecure items. And this goes for image files as well.
      Get the HTTPS for WordPress plugin, upload it and activate it and then go to any page on your site using a https:// URL, example https://www.mysite.com/my-secure-page/. If you use Permalinks.
      If you don’t have Permalinks turned on the link will look like this : https://www.mysite.com/?=23. In Internet Explorer if the webpage is secured and there are no insecure items and the SSL certificate is valid you will see a lock icon next to your addressbar. In Firefox the addressbar will turn blue. If the lock icon has a jagged line through it and you get a warning that the page has insecure items(Internet Explorer) or the addressbar starts out as blue then goes back to white(Firefox) then you have to view the source of the page and see which files have link rel=”https:// or just link rel=”http://. Like I said earlier the culprits are usually JavaScript or CSS files needed by plugins you are using or images you’ve embedded in the page.
      One thing you can do is turn off all other plugins except HTTPS for WordPress plugin and then see if the page loads securely without issues. Then keep turning plugins back on one by one until you find the one that is not getting its files secured.
      If you follow the tutorial here you’ll see what I suggest doing. Its not exactly easy as pie but so far its the only way I’ve been able to find to secure just one page, not the whole site.

  2. Dixie Vogel wrote:

    I’ve been researching this issue myself as I need to secure a couple pages in a WP install. You all may be interested in this article I found on it, where he provides a workaround for the mixed content error – http://www.propellingsolutions.com/2009/12/securing-a-wordpress-page-with-https/

    Haven’t tested it yet but I will be, I’m sure… :)

  3. Jesse wrote:

    Thank you for sharing this. I was afraid I was going to have to meddle some more in other people’s plugins. I’ll report back my success/failures for others.