I have a wp multiste with a subdomain structure and a wildcard SSL cert. My multiste has enabled registration for anyone t create a site.
I know how to do both:
1. just the admin to have have https
or
2. https everywhere (frontend and admin).
I’m not sure what one to choose.
WordPress.com have https everywhere on all their users sites, and to my knowledge google announced in 2014 they give an improved ranking for sites that use https. Seems good reasons to have https everywhere.
But of course https, may slow the website down.
So is there much benefit to have https everywhere.
Also why would you have https on the frontend? Usually you only need it when users fill in forms/giving away personal details where security is needed. What benefit would there be in having https everywhere.
Thanks in advance
1 Answer
Once you have https for admin users you need to have https on the front end as wellat least for the logged-in users as their authentication cookies will be sent in clear text when they access the front end and 3rd parties will be able to duplicate them and use them to get into the admin area for that user.
This do not require https everywhere but it is just the mentally easier option, and you don’t need to worry about some bug in some badly coded plugin or theme exposing your user’s cookies. For the option of SSL only for logged in users take a look at http://codex.wordpress.org/Administration_Over_SSL, couldn’t find anything more recent so you should use it as starting point for investigation.
