Is there a way to force ssl on certain pages

7 comments

1. Use the admin-ssl plugin. For stuff outside of wp, use rewriite rule in apache

   Log in to Reply

2. New workflow, since the Admin SSL plugin is not supported.

   • use the Plugin WP https

   • See the settings

   • If you want SSL for wp-admin, add this to the wp-config.php:

     define( 'FORCE_SSL_ADMIN', TRUE );
     

   • If you want also SSL for the log in page, add this to the wp-config.php

     define( 'FORCE_SSL_LOGIN', TRUE );
     

   • Add the follow line to the .htaccess; remove the default of WP

     <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
     </IfModule>
     

   • If you set a specific page/post to SSL in front-end, then use the following plugin or set the option in the editor of the post/page; only if you have active this possibility of the plugin WP https. see also Gist 4081291 for a sample plugin

     /**
      * Plugin Name: Force SSL for specific pages
      * Description: 
      * Author:      Frank Bültge
      * Author URI:  http://bueltge.de/
      * Version:     1.0.0
      */
     
     ! defined( 'ABSPATH' ) and exit;
     
     if ( ! function_exists( 'fb_force_ssl' ) ) {
     
         add_filter( 'force_ssl' , 'fb_force_ssl', 1, 3 );
         function fb_force_ssl( $force_ssl, $id = 0, $utrl = '' ) {
             // A list of posts/page that should be SSL
             $ssl_posts = array( 22, 312 );
     
             if ( in_array( $id, $ssl_posts ) )
                 $force_ssl = TRUE;
     
             return $force_ssl;
         }
     
     } // end if func exists
     

   • Without Plugin WordPress HTTPS

     add_action( 'template_redirect', 'fb_ssl_template_redirect', 1 );
     function fb_ssl_template_redirect() {
     
             if ( is_page( 123 ) && ! is_ssl() ) {
     
                 if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                     wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']), 301 );
                     exit();
                 } else {
                     wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                     exit();
                 }
             } else if ( !is_page( 123 ) && is_ssl() && !is_admin() ) {
     
                 if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                     wp_redirect(preg_replace('|^https://|', 'http://', $_SERVER['REQUEST_URI']), 301 );
                     exit();
                 } else {
                     wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                     exit();
                 }
             }
     }
     

   or a smaller version, but not with fallbacks, if the url is wrong

   add_filter( 'pre_post_link', 'fb_set_ssl_url', 10, 3 );
   function fb_set_ssl_url( $permalink, $post, $leavename ) {
   
       if ( 123 == $post->ID )
           return preg_replace( '|^http://|', 'https://', $permalink );
   
       return $permalink;
   }
   

   Log in to Reply

3. For WordPress version 3.0 and above, the admin-ssl plugin does not work. In order to get SSL to work, you need to take two steps:

   1. Enable the Administration Over SSL option in your wp-config.php file (see here).
   2. Install the WPSSL plugin on the site. (updated for WordPress 3.0+)
   3. On the pages you want to to run over SSL, add a meta tag called “force_ssl” and set the value to “true”.

   You should be all set after that.

   Log in to Reply

4. Try the Better WP Security Plugin. Along with a bunch of helpful tweaks to secure your site, it has some settings that allow you to force ssl to the login page, or the entire back-end if you choose, and to selected pages on the front end per content via a selection box added to the visual editor. Very easy to use.

   Of course, you do have to have SSL set-up on your server first, meaning you either have to install a self-signed certificate (not recommended) or pay for a certificate from a 3rd party authority and install it on your server.

   Log in to Reply

5. I had multiple problems with your solutions (but it helped me). I’ll put my solutions here for the following case :

   • WordPress multisite
   • Server on vestacp running on apache with nginx proxy

   .First i only used this WP extension : “SSL Insecure Content Fixer” who can handle WPMU, and the “mixed content” error (Since “WordPress Https” is deprecated and not working for me)

   .Secondely, the is_ssl() function wasn’t working with nginx proxy so i used this one :

   function isSecure() {
     return
       (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
       || $_SERVER['SERVER_PORT'] == 443;
   }
   

   .Also “is_page()” wasn’t working so this is my final code (for redirecting the specific pages” to https)

   add_action( 'template_redirect', 'fb_ssl_template_redirect', 1 );
   function fb_ssl_template_redirect() {
   
       global $post;
   
       //login = 8886
       //Pages clients
       $array_posts_ssl = array(8886);
       $array_posts_ssl_parents = array(8886);
   
       if ( in_array($post->ID,$array_posts_ssl)  ) {
   
           if ( !isSecure() ) {
               wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
               exit();
           }
   
       } else  {
   
           if ( isSecure() ){
               wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] , 301 );
               exit();
           }
       }
   
   }
   

   Log in to Reply

6. Both of the plugins mentioned above seem to be outdated or at least haven’t been maintained ina while. The WordPress-https plugin seems to be the best option and will force ssl on the entire site or just on certain pages.

   Log in to Reply

7. Below would be the best “WordPress” way to do it, i have fully commented it for you to explain what its doing.

   add_action('wp','_my_custom_ssl_redirect'); // the 'wp' hook is the first place the post id is set.
   function _my_custom_ssl_redirect(){
       global $post,$wp; // get some global values.
   
       $page_ids = array(2,123,321,456); // array of page ids we want to force to ssl.
   
       if( is_page() && isset($post->ID) && in_array($post->ID,$page_ids) ){ // check we are on a page and its a page we want to redirect.
   
           wp_safe_redirect( // make sure we only redirect to "internal" urls.
               add_query_arg( // add any url query arguments back to the url.
                   $_SERVER['QUERY_STRING'], // The current query args.
                   '',
                   trailingslashit( // add a trailing slash to the home url as sometimes it is not added.
                       home_url( $wp->request, "https" ), // get the home url HTTPS link.
                       301 // set the redirect to be 301 "permanent", you can use 302 "temporary" here instead.
                   )
               )
           );
           exit; // exit ASAP, no point in loading anything more.
       }
   }
   

   Non commented version for neatness 🙂 (same exact code)

   add_action('wp','_my_custom_ssl_redirect');
   function _my_custom_ssl_redirect(){
       global $post,$wp;
   
       $page_ids = array(2,123,321,456); // array of page ids we want to force to ssl.
   
       if( is_page() && isset($post->ID) && in_array($post->ID,$page_ids) ){ 
           wp_safe_redirect( add_query_arg( $_SERVER['QUERY_STRING'], '',trailingslashit(home_url( $wp->request, "https" ), 301 )) );
           exit;
       }
   }
   

   Log in to Reply