Marketpress - force SSL on checkout - subdirectories

Hi! Just wondering how to force ssl for checkout pages of a sub directory install with no domain mapping being used? (I'm aware that with domain mapping and perhaps with subdomains it can be a bit more complicated)

Ta!

  • clothncraft
    • Site Builder, Child of Zeus

    Thanks heaps digitsoft for your prompt reply!

    Yes I've installed that and have been playing around with it but it seems that the marketpress "store" page is the only actual page I can assign as a secure (https) page and the checkout page is sort of "dynamic"? Am I right here?

    Any ideas how to use that plug in to work on the checkout page?

    Any help is GREATLY appreciated. This is pretty much the last thing I need to get sorted out before I go "live"!

  • aecnu
    • WP Unicorn

    Greetings clothncraft,

    By the virtue of your request for forcing sub domain SSL I am under the impression that you have a Wild Card SSL certificate?

    Though I know that I did not try to add to Rob's htaccess code above awaiting the results of your testing, I did want to ask about the certificate.

    Please advise.

    Cheers, Joe

  • Dean Kaus
    • The Bug Hunter

    Hello @aecnu and @digitsoft and also @clothncraft One of my clients just brought up this concern to me and I hadn't really thought about the secure checkout as I'm using PayPal as the payment gateway.
    I've been pretty well out of it physically the last 3-4 days so I wasn't sharp enough to test it.

    Not sure if this is why my sales are down or not. From what I can tell with the PayPal express gateway
    when you enter your shipping information this is not a SSL page however when you get to the payment page where you enter credit card information then it does switch to PayPals Secure Page.

    I don't believe that the CC information is ever passed back to Marketpress. So now you have me thinking
    do we need SSL throughout the entire checkout process?

    I know some other sites I regularly make purchases from are secured before you input any information and there are others that don't.

    I'll appreciate any input.

    Thanks!

  • Shawn
    • The Crimson Coder

    It should go ABOVE the normal WP stuff.

    Also note that some servers do not actually process the %{HTTPS} variable, which is why you'll usually see htaccess code that tests security by checking the port number. Converted to ports, the above could would be:

    Options +FollowSymLinks -MultiViews
    RewriteEngine On
    RewriteBase /
    
    # force https for store
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(store|shopping-cart) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    Again...put it ABOVE the WP stuff.

  • Shawn
    • The Crimson Coder

    Can you post your htaccess file? This snippet has to appear above the normal WP stuff (in fact, pretty much everything should) - and with the other htaccess changes you've made, it would be best if we could see it in it's entirety..

  • clothncraft
    • Site Builder, Child of Zeus

    Here it is ...

    Options +FollowSymLinks -MultiViews
    RewriteEngine On
    RewriteBase /

    # force https for store
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(store|shopping-cart) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # BEGIN WordPress

    # Force subdomain to subdirectory, passing path
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_HOST} !^www\.clothncraft\.com\.au
    RewriteCond %{HTTP_HOST} ^(.+)(\.www)?\.clothncraft\.com\.au
    RewriteRule (.*) http://www.clothncraft.com.au/%1/$1 [R=301,L]

    # RewriteEngine On
    # RewriteBase /
    RewriteRule ^index\.php$ - [L]

    # uploaded files
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

    # add a trailing slash to /wp-admin
    RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
    RewriteRule . index.php [L]

    # END WordPress

  • clothncraft
    • Site Builder, Child of Zeus

    Aha - I see. My trouble is that I also want it to work on subsites also as I'm not using the global cart (coz I want folk to be able to use the manual payment gateway).

    Sorry for the confusion. Here I was saying that it wasn't working, and officially it was, just not how I was wanting it to work, thus I wasn't looking at the main site.

    So... any way of making it work for subsites?

  • Shawn
    • The Crimson Coder

    Can you provide a few links to the URLs you'd like to be processed?

    If they all include the pattern "store/" then you can correct the RewriteRule to this:
    RewriteRule store/ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    You can be more explicit if we adjust the rule order a bit by removing the first RewriteBase:

    Options +FollowSymLinks -MultiViews
    RewriteEngine On
    
    # force https for store
    RewriteCond %{SERVER_PORT} 80
    RewriteRule /store/ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # BEGIN WordPress
  • clothncraft
    • Site Builder, Child of Zeus

    Sure thing! ...

    http://www.clothncraft.com.au/prettypractical/store/shopping-cart/shipping/

    http://www.clothncraft.com.au/byalice/store/shopping-cart/shipping/

    It is specifically the shipping page that I want to be ssl-ed .. but then if they're adding login info on the shopping cart screen, it would be good if it was ssl-ed also. I assume if shopping cart is ssled - the rest will follow suit or do we need to specify that also?

    Yes, they also include the same pattern "store/

    Here's a question ... if the code was changed to suit subsites will it still work on the main site should I choose to move to a global cart sometime in the future?

  • Shawn
    • The Crimson Coder

    This is the one you want:

    Options +FollowSymLinks -MultiViews
    RewriteEngine On
    
    # force https for store
    RewriteCond %{SERVER_PORT} 80
    RewriteRule /store/ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # BEGIN WordPress

    That'll enable SSL to anything with the string "/store/" anywhere in the URL - in child sites and the main site. Note that there are TWO changes from your htaccess - the RewriteRoot was removed and the RewriteRule was changed to replace the carat with a slash.

  • clothncraft
    • Site Builder, Child of Zeus

    You. So. Totally. ROCK!!!

    Thanks SO much! I sent some rep points to you earlier. Anyone reading this through a forum search - send @Shawn some rep points! This is fantastic!!

    I'm SO glad I've got this worked out. I know I'm not collecting credit card info on my sites so I know it wasn't ESSENTIAL to have it operating on checkout but I still feel there's a duty of care we have over the customers' private details that they will be entering into my clients' websites and it's really just "best practice" to have ssl turned on at that point.

    Awesome. Awesome. AWESOME!!

  • Shawn
    • The Crimson Coder

    Thank you!

    SSL is a sticky situation. Most providers require that any potentially sensitive information must be collected and stored securely. This includes shopping cart data and account information directly related to purchases. The way you're doing it is absolutely the best way.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.