Securing WordPress With HTTPS
I’ve worked with a number of clients when providing WordPress technical support who need secure post or pages on their WordPress site to collect sensitive information. In this post I want to show you how to setup HTTPS on WordPress.
What Is HTTPS
HTTP stands for hyper text transfer protocol, or the standard way web pages are transferred between your browser and the web server you connect to. HTTPS is HTTP with SSL or secure socket layer. This is an encrypted and secure way of sending data between your browser and the web server.
Enough with the “bibbling” techie speak, what does that mean? It means that the information in your web page is sent back to the web server over an encrypted channel rather than in the clear so hackers cannot intercept that data and use it for nefarious reasons.
Why Would I Want To Use It?
If you are capturing sensitive information on your post or page and then sending it back to the web server in a normal fashion that information will be sent in “the clear” and as a result it can be intercepted by sniffers or people who setup software to capture internet data and try to extract relevant items such as credit card or login details.
wherever you need to capture sensitive information, you need to use https not http.
You are running a health clinic and part of your process is to collect details of the patients symptoms in a web form before booking an appointment. Sending confidential patient information in the clear is a terrible idea.
You capture credit card information on a form before sending it to your payment processor. Part of your agreement will be to have your pages secured via https before you can accept payments.
Prerequisite: The Certificate
The first thing you will need is a certificate on your hosting platform. This post is a bit of a cop out onm that respect, because this is the hardest part of this process, but each hosting company does it a little differently, so I cannot give you detailed information.
Bluehost for example allows you to buy a certificate for approx. $50 per year, and Godaddy also has a certificate add-on/upsell.
If you have your own VPS you will need to create a CSR (certificate signing request) and send that off to a certificate authority and have a custom certificate for your domain created.
As you can see there are many different ways to get and install a certificate, please consult with your hosting company to find the best way to get an SSL certificate, they will be able to help.
What The Certificate Does
The certificate allows you to negotiate a secure channel between your browser and the web server by sending and receiving encryption keys. I’m not going any deeper than that, but if you want a more thorough understanding check out this article http://www.domainledger.com/secure-ssl-certificate.html
Posts and Pages Via SSL
Once your certificate is installed and working we can start securing WordPress resources.
You can check HTTPS is working by typing in https://yourdomain.com. If it returns a valid certificate you will see a padlock in your browser bar.
To secure particular post or pages I like this plugin.
It very simply and neatly adds a force https check box on the post editor. Click on this and the plugin will redirect any visitors to this page to the https version rather than http.
There are also additional options to make your entire site run over https, but unless you are running a bank via WordPress the performance hit will slow down your site considerably as each page will need to be encrypted.
Admin Via SSL
Another option you may want to consider is securing the admin dashboard of your site. All passwords and admin commands are sent in the clear. You may want to consider forcing all admin work over HTTPS.
Please note the above plugin also does this, but here is an alternative using wp-config.
By adding two commands to the wp-config file you can secure the admin or login areas.
a) Force all admin work over https
b) Force just logins over https.
For further information, please see this article on wordpress.org http://codex.wordpress.org/Administration_Over_SSL
If you need to collect sensitive information on a WordPress please consider installing a certificate and forcing HTTPS on your posts, pages or admin dashboard.
Image by declanjewell