Is there a way to force ssl on certain pages

by

The question:

I want to force a secure connection on some of my pages (ones with forms), but I don’t want the whole site to work with ssl (slows it down)

Is there a way to configure specific pages to require ssl?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Use the admin-ssl plugin. For stuff outside of wp, use rewriite rule in apache

Method 2

New workflow, since the Admin SSL plugin is not supported.

  • use the Plugin WP https

  • See the settings

  • If you want SSL for wp-admin, add this to the wp-config.php:

    define( 'FORCE_SSL_ADMIN', TRUE );

  • If you want also SSL for the log in page, add this to the wp-config.php

    define( 'FORCE_SSL_LOGIN', TRUE );

  • Add the follow line to the .htaccess; remove the default of WP

    <IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{SERVER_PORT} !^443$
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

  • If you set a specific page/post to SSL in front-end, then use the following plugin or set the option in the editor of the post/page; only if you have active this possibility of the plugin WP https. see also Gist 4081291 for a sample plugin

    /**
 * Plugin Name: Force SSL for specific pages
 * Description: 
 * Author:      Frank Bültge
 * Author URI:  http://bueltge.de/
 * Version:     1.0.0
 */

! defined( 'ABSPATH' ) and exit;

if ( ! function_exists( 'fb_force_ssl' ) ) {

    add_filter( 'force_ssl' , 'fb_force_ssl', 1, 3 );
    function fb_force_ssl( $force_ssl, $id = 0, $utrl = '' ) {
        // A list of posts/page that should be SSL
        $ssl_posts = array( 22, 312 );

        if ( in_array( $id, $ssl_posts ) )
            $force_ssl = TRUE;

        return $force_ssl;
    }

} // end if func exists

  • Without Plugin WordPress HTTPS

    add_action( 'template_redirect', 'fb_ssl_template_redirect', 1 );
function fb_ssl_template_redirect() {

        if ( is_page( 123 ) && ! is_ssl() ) {

            if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']), 301 );
                exit();
            } else {
                wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                exit();
            }
        } else if ( !is_page( 123 ) && is_ssl() && !is_admin() ) {

            if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                wp_redirect(preg_replace('|^https://|', 'http://', $_SERVER['REQUEST_URI']), 301 );
                exit();
            } else {
                wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                exit();
            }
        }
}

or a smaller version, but not with fallbacks, if the url is wrong

add_filter( 'pre_post_link', 'fb_set_ssl_url', 10, 3 );
function fb_set_ssl_url( $permalink, $post, $leavename ) {

    if ( 123 == $post->ID )
        return preg_replace( '|^http://|', 'https://', $permalink );

    return $permalink;
}

Method 3

For WordPress version 3.0 and above, the admin-ssl plugin does not work. In order to get SSL to work, you need to take two steps:

  1. Enable the Administration Over SSL option in your wp-config.php file (see here).
  2. Install the WPSSL plugin on the site. (updated for WordPress 3.0+)
  3. On the pages you want to to run over SSL, add a meta tag called “force_ssl” and set the value to “true”.

You should be all set after that.

Method 4

Try the Better WP Security Plugin. Along with a bunch of helpful tweaks to secure your site, it has some settings that allow you to force ssl to the login page, or the entire back-end if you choose, and to selected pages on the front end per content via a selection box added to the visual editor. Very easy to use.

Of course, you do have to have SSL set-up on your server first, meaning you either have to install a self-signed certificate (not recommended) or pay for a certificate from a 3rd party authority and install it on your server.

Method 5

I had multiple problems with your solutions (but it helped me). I’ll put my solutions here for the following case :

  • WordPress multisite
  • Server on vestacp running on apache with nginx proxy

.First i only used this WP extension : “SSL Insecure Content Fixer” who can handle WPMU, and the “mixed content” error (Since “WordPress Https” is deprecated and not working for me)

.Secondely, the is_ssl() function wasn’t working with nginx proxy so i used this one :

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

.Also “is_page()” wasn’t working so this is my final code (for redirecting the specific pages” to https)

add_action( 'template_redirect', 'fb_ssl_template_redirect', 1 );
function fb_ssl_template_redirect() {

    global $post;

    //login = 8886
    //Pages clients
    $array_posts_ssl = array(8886);
    $array_posts_ssl_parents = array(8886);

    if ( in_array($post->ID,$array_posts_ssl)  ) {

        if ( !isSecure() ) {
            wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
            exit();
        }

    } else  {

        if ( isSecure() ){
            wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] , 301 );
            exit();
        }
    }

}

Method 6

Both of the plugins mentioned above seem to be outdated or at least haven’t been maintained ina while. The WordPress-https plugin seems to be the best option and will force ssl on the entire site or just on certain pages.

Method 7

Below would be the best “WordPress” way to do it, i have fully commented it for you to explain what its doing.

add_action('wp','_my_custom_ssl_redirect'); // the 'wp' hook is the first place the post id is set.
function _my_custom_ssl_redirect(){
    global $post,$wp; // get some global values.

    $page_ids = array(2,123,321,456); // array of page ids we want to force to ssl.

    if( is_page() && isset($post->ID) && in_array($post->ID,$page_ids) ){ // check we are on a page and its a page we want to redirect.

        wp_safe_redirect( // make sure we only redirect to "internal" urls.
            add_query_arg( // add any url query arguments back to the url.
                $_SERVER['QUERY_STRING'], // The current query args.
                '',
                trailingslashit( // add a trailing slash to the home url as sometimes it is not added.
                    home_url( $wp->request, "https" ), // get the home url HTTPS link.
                    301 // set the redirect to be 301 "permanent", you can use 302 "temporary" here instead.
                )
            )
        );
        exit; // exit ASAP, no point in loading anything more.
    }
}

Non commented version for neatness 🙂 (same exact code)

add_action('wp','_my_custom_ssl_redirect');
function _my_custom_ssl_redirect(){
    global $post,$wp;

    $page_ids = array(2,123,321,456); // array of page ids we want to force to ssl.

    if( is_page() && isset($post->ID) && in_array($post->ID,$page_ids) ){ 
        wp_safe_redirect( add_query_arg( $_SERVER['QUERY_STRING'], '',trailingslashit(home_url( $wp->request, "https" ), 301 )) );
        exit;
    }
}


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment