October 19, 2015 at 3:37 pm #13182LiliaLMember
I want to use WP eStore with Stripe using the Gateway Bundle addon (which I already have purchased).
My question is whether I need to purchase a SSL certificate to add to the website if I am using Stripe with WP eStore? Stripe suggests I do and I wonder if I need to.
I have searched the forum and didn’t find an answer.October 19, 2015 at 6:54 pm #71650
When you are using the Payment Gateway Bundle; you perform local processing of customer credit card information on your server. The customer (without the bundle) normally sends the credit card information directly to Stripe, using Stripe’s SSL certificate; which encrypts the card information. With the bundle, that same information is first sent to your server.
Without an SSL certificate, customer credit card information will not be encrypted; as it is sent from the customer’s browser to your server. This opens you up to potential liability issues:
October 19, 2015 at 8:22 pm #71651
- Customers will *know*, via their browser address bars, that you are accepting unencrypted credit card information. This may dissuade customers from completing their transactions; and you will lose sales.
- Encryption of transmitted information is required for PCI compliance.
- Your site becomes an attractive target for “man in the middle” hacker attacks.
- You may be in violation of your country’s data privacy laws.
- If you are sued, after a hacker attack, you will be “at fault,” because you did not use an SSL certificate.
Really? But I tihnk this is exactly what I’m doing! I didn’t know I need an SSL certificate.
I integrated to Stripe through your Payment Gateway Bundle and didn’t see anything about needing an SSL certificate. How do I sort that out?
Can you point me to some documentation please?
DerekOctober 19, 2015 at 8:30 pm #71652
There is nothing that will stop or prevent you from using the Payment Gateway Bundle Addon, without an SSL certificate. But you do so at your own risk. Stripe has already said that you “should.” It’s like the parking brake on your car. You don’t “have to use it,” but if an accident happens, the insurance company may not pay you.October 19, 2015 at 9:27 pm #71653
Ok, thanks. Glad I found out now. I just upgraded my Bluehost account to get an individual IP address with an SSL certificate. Presumably I don’t have to do anything else and the magic will just happen?October 19, 2015 at 10:31 pm #71654
You need to install a plugin that will “force” pages to use SSL.October 19, 2015 at 10:58 pm #71655
Thanks for that advice. It just leads to two questions:
1. That plugin you recommend looks completely untrustworthy. Only 5 reviews and almost all bad? When dealing with SSL surely we need a highly reputable plugin with thousands of users and a high rating?
2. What are the consequences of forcing https everywhere versus only on the page/s with credit card details? E.g. does putting it on part of the site only put you to risk (even though it’s on the payment pages?) Also, is there any reduction in site loading speed when using https (I have a very image-heavy site so I only want latency to occur when it’s unavoidable).
Thanks very much
DerekOctober 19, 2015 at 11:03 pm #71656
In “the old days,” it was customary to only force SSL on pages that required it. Unless you are paying for a really low end server package; forcing SSL on all pages is of no consequense. Google has been full-time SSL for the last few years now.
As for which plugin to use, take your pick. There are several more “free” plugins to choose from.October 19, 2015 at 11:12 pm #71657
We have a plugin for this that will force redirect to HTTPS pages on your site. You can choose to select only a few pages to be on HTTPS also:October 19, 2015 at 11:15 pm #71658
It is very important to understand that our plugin doesn’t require you to use SSL. You ONLY need it if the payment gateway you are using needs it.
The API of every single payment gateway is different. So ask your payment gateway provider if they need you to use SSL.
If the payment gateway you wan to use requires a SSL certificate then that means you will need SSL (regardless of whatever plugin you use).
Is that clear?October 19, 2015 at 11:37 pm #71659
Ok, thanks for this. At the moment WP Force SSL is looking good.October 20, 2015 at 5:31 pm #71660LiliaLMember
Wow! Good discussion. Glad I asked.October 30, 2015 at 4:08 pm #71661bentley74Member
Interesting topic (something I too was wondering about once I noticed that the CC page was going to be on my own site)!
Pretty sure you can use a free service like Cloudflare (which also has more robust paid options) to establish SSL on your website. And it has other perks as well.July 12, 2016 at 11:48 pm #71662advexpMember
Hi there, I’ve installed Braintree addon for WP eStore and using the HTTPS Redirection plugin. We have a valid SSL certificate installed and run our DNS through CloudFlare CDN service. We’re using the HTTPS Redirection plugin (works great btw!), several pages are set to HTTPS including (store, donate, and contact) and have green padlocks as expected.
QUESTION – Wondering why all pages work as expected with green padlock, but on our home page [http://www.lifestreams.org] it shows the padlock, but turns yellow (with a caution symbol)?
I realize it means “parts of the page are not secure (such as images)”, but the same is true for the other pages, which show the green padlock. Just concerned that the home page yellow/caution will concern site visitors re: our site security – even though all other pages are green. Please advise. Thanks!July 13, 2016 at 2:34 am #71663
It will NEVER show a FULL green padlock sign if you have some images or other static resources that are loaded using a non-https URL on a secure page.
Do the following to find out which resource need to be corrected:
1) Open the page where you have the HTTPS issue.
2) View the HTML page source.
3) Search for “http://”
4) Go through the entries and see if you have any image file, CSS or JS file that are loaded using http. If they are then you need to fix that so it is loaded using https.
- You must be logged in to reply to this topic.