What's the right move with SSL for user based site?

I’m working on a site where a user registers and has the ability to create various custom post types (let’s call them tournaments for simplicity although it’s slightly more complicated than just one CPT) that other site visitors can view. The user has what amounts to some front end dashboard pages to manage their various tournaments. They don’t have access to the WP backend. Users have account and profile pages in addition to that and everything else you would typically see on a membership style site.

I don’t currently have SSL implemented but would like to. I was playing around with it the other day on a test site and came across something I can’t figure out the best way to handle. I had planned on making all login/admin/account/dashboard pages served via HTTPS and keeping the “tournament” front end pages as well as blog articles and such served via HTTP. However, when I do that and I am logged in (via HTTPS), and go to one of the tournament pages…it logs me out or at least shows me as logged out on that page. This makes sense given that I’m logged into the HTTPS side, but I don’t really know how I should handle this. I have different menus for logged in vs not and I obviously don’t want it to randomly log out users just because they go to a page I’m not forcing SSL on. The vast majority of site visitors will not have accounts and I don’t have a need now to secure all the pages outside of the aforementioned account pages.

My options as I see them:

  1. Force SSL on the entire site without exception. I don’t think I have a particular problem with this, if this is the accepted practice now. It sounds like there may be some pain down the road however with caching or CDN implementations.
  2. Force SSL for any logged in user on every page they visit. Non-logged in visitors would get http only.
  3. Am I missing something else? I want to force SSL only on the account and login pages but it wasn’t a friendly experience the way it worked. It seems like this would a common scenario, hopefully I’m describing it well enough. I’ve read every blog post out there on SSL for WordPress and am aware of the simple one liners to force SSL on login and admin…and can make any htaccess changes and functions to do what I need.


Solutions Collecting From Web of "What's the right move with SSL for user based site?"

You either go site wide HTTPS, or should not bother with it in the first place. Should it be for all access or just for logged in users depends on the profile of your traffic. If most traffic will come from registered users, then just go unconditional HTTPS as doing it conditionaly just for logged in users obviously introduces more testing and might not play great with plugins that do not handle this situation well.

Side note: You should ask yourself why do it at all. Going HTTPS improves the general security against targeted attacks on specific users, but do not improve the general security of the site by much. It is more likely that a user’s account will be broken into by brute force then by someone “listening” to his traffic.