Force SSL on a WordPress site

February 1, 2011WordPress

I’m revamping the subscription process on the Singletrack website at the moment, and as we will soon be taking Direct Debit online (we currently take credit cards online using the excellent Spreedly). We’ll therefore need an SSL certificate on this section of the site.

I’ve set up a new ‘blog’ using WP Multisite, which will deal with all the subscription tasks (be that Spreedly, DD, voucher code, or whatever). That way I can grant permissions to particular users on the site – the journalists who have access to the main site do not need access to the subscription process.

I’ve set

define('FORCE_SSL_ADMIN', true);

in the wp-config.php file. (Administration_Over_SSL)

But we want to force SSL on only the subscription site, not on the rest of it. In this particular case the $blog_id is 6.

Here is the code:

/*
Plugin Name: Force SSL
Description: Force use of SSL on only specified site - Network Activate only.
Version: 1.0
Author: Tom de Bruin
Author URI: http://deadlyhifi.com/blog

Site Wide Only: true
Network: true
*/

function ssl_check() {
	global $blog_id;

	if ( !is_ssl() && $blog_id == 6 ) {
   		$redirect = "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];	
		wp_redirect($redirect);
		exit();

	} elseif ( is_ssl() && $blog_id != 6 )  {
		$redirect = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];		
		wp_redirect($redirect);
		exit();	
	}
	
}

// don't SSL check if on an admin page or on the login page.
// wp-login.php return odd results as to where it is.
if ( !is_admin() && !strpos($_SERVER["REQUEST_URI"], 'wp-login.php') )
	add_action('plugins_loaded', 'ssl_check');

There’s a handy WordPress function called

is_ssl()

(is_ssl()) which will return true or false.

All I’m doing is a simple redirect. If the SSL is not on, and the blog_id is 6 then we want to redirect to https://, if SSL is on and we’re not on blog_id 6 we want to redirect to http://.

Note that we are only calling the function if we’re not in the admin area, and not on the wp-login.php page. If it was active on wp-login.php it caused a redirect loop. It seems wp-login.php couldn’t figure out if it was SSL or not.

Remember to set the correct blog id if you’re using something like this on your plugin. And the Site Wide Only: true just makes sure that the plugin can only be activated site-wide.

  • http://twitter.com/Heliker Scott Heliker

    Hi, I have been looking all over to do something similiar but I would like to force ssl on all newly created blogs..

    I have a multi site wp install using subdirectories instead of sub domains… I have an ssl on the main domain..

    When someone creates there own blog the site url and home url default to http  instead of https..

    I have to manually go to network admin – there site- edit – settings- and put the s after the http…

    Can you help me with what code and where I would need to enter it to make this happen everytime  a new blog is created…

    Thanks.. Scott

    the pic below by ticking the check doesnt seem to work.. have to go to settings… so not sure how to add something to a wp file to automate this……

    need the site url  and home url   to automatically have the https prefix…  Thanks

    • http://twitter.com/deadlyhifi Tom de Bruin

      I’m not entirely sure, I’ve never done that before. Is it possible to use the ‘wpmu_new_blog’ hook to edit to https://?
      Otherwise you may be better asking your question on http://wordpress.stackexchange.com/