Support » Networking WordPress » SSL secure all Multisite (subfolders) subsites

  • Resolved lucabarbetti


    I’d like to try to secure with SSL all my development WordPress Multisite installation for testing purposes. I just did it in a sinlge WordPress site but I have (always!) more doubts when it comes down to Multisite.
    Reading topics and comments in this forum I believe that one SSL certificate should be enough because I have subfolders.
    To enable SSL for all my single WordPress site I changed http into https in Settings –> General:
    WordPress Address (URL) – https://localhost:44300/
    Site Address (URL) – https://localhost:44300/
    (well, 44300 is the default port used by WebMatrix when SSL enabled)
    I thought to do the same with Multisite but, since I can’t do this change in Network Settings, do I have to do it in Sites –> Edit Site –> Settings for every subsite (Siteurl, Home, Fileupload url)?
    Also, since the multisite ‘uses’ port 80 (http://localhost/, I might be wrong but this is required by Multisite-Subfolders, isn’t it?), should I use the standard port 443 when SSL is enabled? Or I can do changes like:
    http://localhost/ –> https://localhost:44301/
    http://localhost/es-ES/ –> https://localhost:443001/es-ES/
    http://localhost/fr-FR/ –> https://localhost:443001/fr-FR/
    I’m asking this because when I enable SSL on the IIS Express server through WebMatrix, it binds everything to ports like 44300 and above, therefore if I can’t use other port than 443 I need to redo the binding.
    Thanks a lot.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Reading topics and comments in this forum I believe that one SSL certificate should be enough because I have subfolders.

    Should be, yup 🙂

    You may need a plugin like to force https across the board.

    Hi Mika,
    I’ve seen that plugin, although I think that it’s an interesting plugin, I haven’t tried it because on the FAQs the author says:

    How do I make my whole website secure?
    To make your entire website secure, you simply need to change your site url to use HTTPS instead of HTTP.

    Which is what I did for the single site by the way, therefore I thought that it was better suited for those websites that want to secure only some areas, like admin pages, login, edit profile, ecc.
    And that would be ok if only I hadn’t read on the web that mixed http/https browsing is potentially dangerous for logged in users, because it exposes users’ cookies to the unfriendly world, so to speak.
    Ideally I would like to come up with a situation where users normally use “http” on the frontend but once they log in they use “https” everywhere, back and front end, until they log out. So I have to find an easy-enough-for-me way to recognize logged in users and keep their connections ‘always secure’ through https and SSL.
    Even an always on secure connection, wether the users are logged in or not, would be ok I guess.
    Do you think it’s possible? I mean for me, obviously! :o)
    Thanks a lot

    I thought to do the same with Multisite but, since I can’t do this change in Network Settings, do I have to do it in Sites –> Edit Site –> Settings for every subsite (Siteurl, Home, Fileupload url)?

    Basically that’s what you have to do :/ And even then I’m not 100% sure it’ll work.

    Hi Mika,
    (Houston) I have a problem!
    You might well say that this is nothing new… 🙂
    It doesn’t seem like the protocol part http:// is changeable on the main site, in fact in Sites–>Edit Site–>Settings http://localhost is greyed out in all the istances (Siteurl and Home) except Ping Sites, File Upload URL and Network Sidebar Login Forum Url.
    Instead in the subsites, like http://localhost/fr-FR, Siteurl and Home aren’t greyed out.
    How can I change the protocol in the URLs of Siteurl and Home of the main site?
    Have a nice day and thank you.

    You’d have to set it before you flip on Multisite, I’d imagine. Or edit directly in the DB.

    Ouch! Editing a database, never done before…
    I guess that I’ll try to edit the DB first and if I break the database, turning my test site into garbage, then I’ll try to set https on a new installation before flipping to multisite.
    Hopefully I’ll be able to publish my website before the end of my days! 🙂
    Thanks a lot Mika.

    Hi mika,
    I looked at the tables of my database and found the “http”s, that I’m supposed to change into “https”s, only in the options tables. I have three of them: wp_options for the main site, and wp_2_options and wp_3_options for the subsites. (Well, also in the links tables there are “http”s but they are in the links to
    I changed them manually one by one and, after a couple of failed attempts, the secured site came to life. Overall it seems to work even if there are some rough spots that I’d like to eliminate. For example, if I want to add a custom menu link, WordPress still starts the URL with “http://”. I noticed it because I had to change all the custom menu links that I had already, but I’m sure that I’m going to find more links that needs to be manually adjusted.
    Now I think that I need to find a way to redirect all the requests to the http site to the secured one.

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Maybe? In theory that should do it.

    I guess that I have to add that code to the .htaccess file.
    I’ll keep that in mind when I publish my real website, but I realized that I don’t need it in my development environment right now. In fact, for some kind of magic, the website responds at http://localhost and then, whatever thing one does or clicks, she goes directly through https to the corresponding secured page and never leaves the secured site.
    I don’t know exactly why it works this way but I think it depends on WebMatrix and its behind the back “bindings”: WebMatrix uses a file named applicationhost.config where there is something like this:

      <binding protocol="http" bindingInformation="*:80:localhost" />
      <binding protocol="https" bindingInformation="*:443:localhost" />

    Thanks a lot for your help and support, have a good day! 🙂

    Hi Mika,
    I’m uploading my website and I wonder where I am supposed to put your snippet of code, I have an .htaccess file that looks like this:

    # Use PHP5 Single php.ini as default
    AddHandler application/x-httpd-php5s .php
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # uploaded files
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
    # add a trailing slash to /wp-admin
    RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule  ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
    RewriteRule  ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
    RewriteRule . index.php [L]
    # END WordPress


Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘SSL secure all Multisite (subfolders) subsites’ is closed to new replies.