Securing Your Site with HTTPS

In order to accept credit cards on your site and be PCI compliant you must have an SSL certificate and use HTTPS on all pages that collect credit card information. HTTPS provides authentication for your web site and associated web server, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a customer's browser and your server, which protects against eavesdropping and tampering with and/or forging the contents of the communication.

In this article we'll cover the steps you'll need to go through in order to ensure your site is secure. This article may also be helpful: http://www.wpbeginner.com/wp-tutorials/how-to-add-ssl-and-https-in-wordpress/.

Purchase and Install a SSL Certificate

There are a number of companies you can purchase SSL certificates from including GoDaddy, VeriSign and GeoTrust to name few. Once you've purchased an SSL certificate, you'll need to work with your hosting provider to get it set up on your server.

Verify Your SSL Certificate is Installed Correctly

Once you've worked with your hosting provider to get the SSL certificate installed, you can verify that everything is set up correctly by using this SSL Checker.

Check WordPress SSL Settings

If you're going to utilize the HTTPS plugin we recommend below then you'll want to make sure that WordPress isn't forcing SSL. Do this by going to the wp-config.php file and checking if FORCE_SSL_ADMIN is being defined there and if so, make sure it's set to false. Here are detailed instructions of working with the force SSL setting.

Secure Pages on Your Website

Once your SSL certificate has been successfully installed, you'll want to ensure that HTTPS is used on all the pages on your site that collect sensitive information. This can easily be done with the WordPress HTTPS plugin.

IMPORTANT: After activating the WordPress HTTPS plugin go to the settings screen and in the General Settings section make sure that the Force SSL Exclusively option is unchecked. When this is checked the WordPress HTTPS plugin accidentally modifies the URL on MemberMouse checkout forms to be unsecure. The result is that in some browsers customers will be shown a warning message when they attempt to submit the checkout form. To avoid this, just ensure that the Force SSL Exclusively option is unchecked as displayed below:

You will also want to add a URL filter for the php process script that MemberMouse uses for transactions.  This can also be added in the URL Filter section.  You will want to add this URL

/wp-content/plugins/membermouse/api/processOrder.php



Next, go to each page that needs to be secure and check off Secure post in the HTTPS module. You'll want to do this for the MemberMouse Checkout and My Account core pages and any page you've included a MemberMouse checkout form on.

Ensure That Your Pages Are Fully Secure

Once you've installed a plugin to handle HTTPS and you've configured which pages should use HTTPS, you'll want to check and make sure there aren't any insecure items being loaded on your secure pages as this will typically cause the browser to show a warning to the user informing them that the page is not secure. In some browsers, like Chrome, they're more strict and will terminate rendering the page when an insecure item is encountered. You can use this tool to ensure that your pages are fully secure. If the report tells you that you have insecure items on your page, use this resource to fix the insecure items.

Feedback and Knowledge Base