securing a private customer portal – is there a plug-in?

  • I’m looking for a plug-in that will allow me to create a network of sites with confidential user data. All access restricted to authorized users. All page traffic encrypted. Each site should have its own set of authorized users. As the service provider, I will have access to all sites, but the users only have access to the site with their data on it.

    === background ===

    I’m new to WordPress and unfortunately what I need is best served with multisite (sub-folders).

    I’m building a customer portal where each site will have info confidential to that customer. It will have project status info as well as files being sent back and forth (typically zip files, so not a lot of files, but they may be multiple GBs each).

    I have a dedicated VM for my site network. I installed a virgin Centos 7 VM yesterday and got multisite working this evening. It is barebones at the moment, no themes or plugins yet. No customization, but I did create a secondary site (https://portal.intelligentavatar.net/av001/)

    (I have a dummy ssh cert for now, so ignore the security warning).

    I tried “WordPress HTTPS” but my site locked up and I removed it.

    Is there a plug-in that will let me force all pages to be served via https or do I have to do that via apache and a different page for port 80.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Greg,

    Take a look at this. It should work for your situation.

    Thread Starter gregfreemyer

    (@gregfreemyer)

    He’s using WordPress HTTPS as a plug-in.
    https://www.ads-software.com/plugins/wordpress-https/

    It hasn’t been updated in 2 years and only claims support thru 3.5.2

    When I gave it a quick test last night it broke my extremely minimal site.

    Is there a similar plug-in that is maintained and works with 4.x.x?

    Should I ignore the lack of claimed compatibility and try to get WordPress HTTPS working anyway?

    Greg,

    I’m currently using the plugin on a number of sites with no issues. The reason you would really need a plugin is to force HTTPS on links put into the content, stylesheets, javascript, etc. If you can change your theme to be sure it’ll always load a secure version, than you could go plugin-free, but it’s unlikely you’ll be able to guarantee this once you start adding in plugins.

    You should be able to substitute another “force HTTPS” plugin, but I don’t have any specific suggestions on that for you since I currently use the WordPress HTTPS one. I have noticed that if you try to use a self-signed certificate (i.e, not a real one), it does have issues, but that’s not something you’d be doing in the real world anyhow.

    Hope that helps!

    I’m running https with no “force https” plugins. Once you have a set of plugins and a theme chosen and get those cleaned up you don’t really need anything to force https. The only issues are when a theme or plugin calls external assets. eg. I had a plugin that pulled a placeholder image from https://placehol.it That was giving me the mixed content issue and taking away my padlock. Once you have an ssl set up on your host/server, you set up .htaccess to redirect anything http to https. To help find any non secure items,,,https://www.whynopadlock.com/
    There’s also a couple of plugins that will help with “non secure” items but as long as no file has https:// in it’s contents and all files are on your ssl server, everything’s secure. You can even use google fonts and have the padlock as those come from an https:// address but the preference would be all files originating from your server.
    WP already has some built in switches that you can use and simply making sure everything says https in all wp settings does most of it. You may have to check the database for https:// entries. I had a couple in wp_site_options table.
    wp-config can have some definitions added. https://codex.www.ads-software.com/Administration_Over_SSL That one will force ssl for login and admin pages. I’m using it but it’s redundant since my whole site is https/ssl but redundancy never hurts when it comes to security.

    Search the wp site for “force ssl” and you’ll find more info.

    Next you’ll need some way to lock the site(s) down from non logged in surfers. admin pages aren’t really a problem as they only show to logged in users anyway. A membership plugin would work but most of them are a mess and also tend to be social based with profiles, wall, like buttons etc. The two I was down to until yesterday were Paid Memberships Pro and Ultimate Members. Somewhere recently I saw a switch to “make site private” but I’m not sure where. It was either in one of those two plugins or wp itself. UM is loaded with switches for logged in users only; from the menu items to the posts and pages so it might be that one.
    Paid Memb. Pro has one feature that’s pretty slick for multisite. It can create a site upon user registration. However, it’s a blank site with no settings carried over from another so then you get into setting defaults for all new blogs. I’m using it with one of the multisite clone plugins that has a setting for which subsite to use as the default for all new blogs no matter how they’re created. I had to modify a pmpro file so that it wouldn’t come back with a page telling the new site owner they were reclaiming their old blog and not giving them any links. Something about the cloning made it think they were reclaiming a site. The modified file was actually the addon plugin for pmpro to create sites and didn’t come through wp.org so I don’t have to worry about it getting overwritten by an update.
    At long last, I have it so someone fills out registration form including CC info, clicks submit, pymnt is processed/site created and when the page refreshes, they have a link to manage their new site and are already logged into it. And, this site is cloned from an unpublished master copy and has all plugins, themes, settings and content from it.
    I’m not sure what you will have to do for credentials. I don’t know if you’ll be dealing with existing customers or new signups.
    You’re basically trying to use a CMS as a CRM but I understand. I looked into CRMs quite a bit at one time. 20 bucks per person per month. Dollibar was the only thing I found that was truly open source and free.
    You’ve probably seen it but every site can have an upload quota and max file size set so You’ll have to set those.
    I think Comodo is about the cheapest CA out there. Make sure you get SHA-2 and not SHA-1 as SHA-1 is about to become obsolete.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘securing a private customer portal – is there a plug-in?’ is closed to new replies.

Tags