Why You MUST Provide a Secure URL for Facebook Tab Manager

As of October 1, 2011, all Facebook apps and tabs must be available at an https address, which means your web hosting account must include an SSL Certificate (see the official announcement from Facebook). This was not true when Facebook first introduced the ability to add custom page tabs, and so many Facebook Tab Manager users have created custom tabs without having SSL enabled on their sites.

As an alternative, Facebook Tab Manager hosting with built-in SSL support is also available through TabMgr.com.

If you have a basic website hosting account, you probably do not have an SSL certificate included. Some hosts make a “shared certificate” available, associated with the host’s domain, but I have not heard of anyone getting this to work. In other words, you probably need to pay for your own certificate and get it installed on your server. Also, you will need an Internet Protocol address for your domain. Most basic hosting accounts use a shared IP address for multiple domains, so this may be another upgrade you have to pay for.

However, making this investment brings other benefits, such as better security for the administration of your WordPress site. With a couple of tweaks to your WordPress configuration file, you can make sure your password and session credentials will always be protected (see below).

The simplest way of SSL-enabling your website may be to purchase the SSL certificate from your web host and have them install it. On the other hand, you may find that it is more cost effective to purchase the certificate from a firm such as GoDaddy or one of several other firms authorized to act as certificate authorities. The exact process for obtaining and installing a certificate will vary depending on your web hosting setup and the certificate authority you do business with. Here is one good (but vendor-specific) explanation:

http://www.instantssl.com/ssl-certificate-support/guides/ssl-certificate-introduction.html

When you have completed the installation, you should be able to view pages on your site with an https rather than an http prefix on the URL (web address). This also means you can register your Facebook Tab Manager tabs in the Facebook Developer utility with an https address, and add an https to any existing tab content you registered previously.

Securing Your WordPress Administration

Now that you’ve spent the money on an SSL certificate, you should also secure administrative access to your website.

You do this by editing your wp-config.php file to include an additional entry.

The constant FORCE_SSL_ADMIN can be set to true to force all logins and all admin sessions to happen over SSL.

Example

define('FORCE_SSL_ADMIN', true);

This must be placed before the section at the end of the file that reads

/* That's all, stop editing! Happy blogging. */
...
require_once(ABSPATH . 'wp-settings.php');

Parameters that you add after this statement will be ignored.

For more details and variations, see the longer explanation of SSL Administration options at WordPress.org.