I’m working on a site where a user registers and has the ability to create various custom post types (let’s call them tournaments for simplicity although it’s slightly more complicated than just one CPT) that other site visitors can view. The user has what amounts to some front end dashboard pages to manage their various tournaments. They don’t have access to the WP backend. Users have account and profile pages in addition to that and everything else you would typically see on a membership style site.
I don’t currently have SSL implemented but would like to. I was playing around with it the other day on a test site and came across something I can’t figure out the best way to handle. I had planned on making all login/admin/account/dashboard pages served via HTTPS and keeping the “tournament” front end pages as well as blog articles and such served via HTTP. However, when I do that and I am logged in (via HTTPS), and go to one of the tournament pages…it logs me out or at least shows me as logged out on that page. This makes sense given that I’m logged into the HTTPS side, but I don’t really know how I should handle this. I have different menus for logged in vs not and I obviously don’t want it to randomly log out users just because they go to a page I’m not forcing SSL on. The vast majority of site visitors will not have accounts and I don’t have a need now to secure all the pages outside of the aforementioned account pages.
My options as I see them:
You either go site wide HTTPS, or should not bother with it in the first place. Should it be for all access or just for logged in users depends on the profile of your traffic. If most traffic will come from registered users, then just go unconditional HTTPS as doing it conditionaly just for logged in users obviously introduces more testing and might not play great with plugins that do not handle this situation well.
Side note: You should ask yourself why do it at all. Going HTTPS improves the general security against targeted attacks on specific users, but do not improve the general security of the site by much. It is more likely that a user’s account will be broken into by brute force then by someone “listening” to his traffic.