Secure all pages but the home page

Hi:

Is there a way to set all pages to SSL except the home page without having to remember to manually check off all the pages as they are added to a site?

The reason for this is that when SSL is used, any caching tool is substantially less effective. Given that the response time of a site's home page is critical it would be nice to be able to easily add SSL to all pages but the home page.

Thanks very much.

  • Michael

    It could be possible, but I would strongly consider either shopping cart (payment gateway) only SSL or full sitewide SSL.

    Why?

    1) This is more logical to the visitor, no questions asked why something is secure, but another area isn't.
    2) Homepage would also contains navigation images / components, which should be HTTPs on the other webpages, therefore you get mixed "not fully secure" warning on some web-browsers. It's not a good idea to have a webpage only half secured. Some web-browsers even hide the non-secured objects from view (you are left with half a website displayed).
    3) Google understands the swap during it's re-indexing. Under Google Webmaster tools, you can simply tell it's HTTPs now.
    4) HTAccess can enforce the HTTPs redirects. You don't want two copies HTTP and HTTPs of a webpage, else it could get treated as duplication content. You also don't want people manually typing the URL or linking your website to use one over the other and not get redirected correctly.

    Firstly update your theme scripts and css to link HTTPs if you are using any absolute URLs. Then do a database search on your webpages to update absolute path internal links and images to use HTTPs too (or manually update page by page under Wordpress, if you don't have too many). However, notice this could break visitors experience during the swap over. So instead rather than having hard coded HTTP:// or HTTPS://, a trick is to just use // instead.

    For example:
    <script src=”http://ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>

    Change this to a protocol relative URL:
    <script src=”//ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>

    You get the automatic use of HTTPS on secure pages and avoid the overhead of HTTPS on non-secure pages.

    Because it's not just URLs, but also images, css, javascript and everything else you redirect / update to run over HTTPs. Under general settings, you need to update "WordPress Address (URL)" and "Site Address (URL)" to work with the HTTPs.

    Something like W3 Total Cache has the option to "Cache SSL (https) requests".
    Overhead of sitewide SSL, when done correctly, is a mere 1% during the handshake.
    Consider using Keep-Alive connection on the server too.

  • Nigel

    Hi Michael:

    Thanks for all that but, unfortunately, I'm not sure any of it answers my initial question. I'm not that worried about handling the HTTP vs HTTPs issues for each of the pages once I get an answer to the question I asked. If I'm able to do what I'm asking then everything else becomes much easier. As a matter of course, I would love to have 100% of my pages SSL but W3 Total Cache can only cache SSL pages per individual request/connection. So, that first request from a new visitor, if its SSL, is going to be much slower than it should be.

    Thanks again for the response. I hope to use your information later on down the line.

  • Tyler Postle

    Hey Nigel,

    Hope you're doing well today!

    I agree with Michael on this one. Trying to force non-ssl only on your home page will surely cause issues down the road. Plus, google takes SSL into account for ranking, so the boost from that may out-weigh any speed reduction you get from it.

    You would need to bypass the domain mapping forcing options and implement your own forcing rules through PHP or .htaccess. The reason for this is because if you forced your site to full SSL with domain mapping then tried to force just the home page to http, it would create a redirection loop - domain mapping forcing http to https and then your custom redirect trying to force back to http.

    In my opinion, the better option here would be to look into other ways to further speed up your site to get it as fast as you can while still running on SSL. Even if it's a tiny bit slower still, the benefits will outweigh the cons. You will run into far less issues in the future.

    Let us know what you think! If you do still want to force just your home page to non-ssl then you may want to consider hiring a developer to create a plugin or .htaccess script to ensure it works as best it can.

    Look forward to hearing back.

    Cheers,
    Tyler

  • Nigel

    Hi Tyler:

    I'm a bit confused. The plugin currently has the ability to say "serve all pages as HTTP but these checked ones over here should be served over HTTPS". So why can't I do the opposite. In fact, couldn't I do what I want right now by setting the default to HTTP and turning the SSL checkbox option for all individual pages except the home page? I was just hoping to not make it all such a manual effort.

    Or maybe you're saying that what I think I can make the plugin do is not something it can really do even with the manual effort?

    Thanks for working this through with me!

  • Michael

    Think of HTTP and HTTPs as the same as being two different sub-domains as such.

    If you want to do only part of the website as SSL, pick sections of it. The same way you would do sub-domains, you might have https://members.domain.com and https://store.domain.com, while the main website is http://www.domain.com. You don't need the sub-domains (unless desired), but it will still be treated the same kind of way (for example: http://www.domain.com and https://www.domain.com/store, https://www.domain.com/member-area, etc). Everything underneath that can remain SSL, for example https://www.domain.com/member-area/profile or https://members.domain.com/profile.

    (Note: If creating sub-domains, you would need to add those into your SSL certificate or have a wildcard SSL - if you don't have that or it costs too much, stick with just sub-folders)

    Therefore make your main website HTTP only.

    Then if you use Woocommerce or Payment gateways, force SSL onto them. Also, you can add it to the admin backend and member area, etc. Just keep them separated in sections (either by sub-domains or folder structure, plus everything under that URL is redirect 301 forced to SSL by HTAccess).

    Then when Google and other search engines come to index it, they will be able to work it out. It won't be as confusing for customers either.

    Do you have any certain sections like that to be able to isolate?

  • Tyler Postle

    Hey Nigel,

    Sorry for the delay.

    I'm a bit confused. The plugin currently has the ability to say "serve all pages as HTTP but these checked ones over here should be served over HTTPS". So why can't I do the opposite.

    Going over HTTP is default, so no redirect really needs to be implemented for that; however, when swapping it to https - you need to redirect http to https. This is the major difference.

    If we did "serve all pages over https except these checked ones: " - you would get a redirect loop on the checked ones, because they would first all be going over https but then redirecting back to http due to the special rule, then back again to https due to the first rule.

    In fact, couldn't I do what I want right now by setting the default to HTTP and turning the SSL checkbox option for all individual pages except the home page? I was just hoping to not make it all such a manual effort.

    Yes, so you could do this - but like you mention it's not exactly ideal.

    The "serve all pages over https except.." option that you want, would be possible with custom coding, but not with this plugin. It would be fairly complex as your telling it to redirect every future page as well, so there needs to be logic added to achieve that.

    I will mark this as a feature request, but as a request like this is quite rare so I can't promise whether it will be implemented into the plugin in the future or not - you probably noticed if you tried to look up solutions first, not many options out there for getting this sort of setup.

    If you have further questions just let us know :slight_smile:

    Cheers,
    Tyler

    PS. @Michael - thanks for chipping in with the helpful info!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.