It's been a long time since I've posted, but that's probably because FQ has been working quite well for me. :)

I'm trying to set up WP on two different plans. One plan has an SSL certificate installed; the other is using a shared SSL.

On the plan with the private SSL, I'd like to have SSL login as well as a part of WP that is secured (basically, part of the site will be secure, the other won't).

On the site with shared SSL, only the login really needs to be secure.

I've tried reading various places, but I think I'm not finding/understanding what I need to do. I know various people here have used WP. What do I need to do to make these parts of the sites secure? Thanks in advance for the help!

I wonder if I'm missing part of what's going on here, but on the assumption that I "get" your question and the setup situation...

You would install WP in the
/big/dom/xdomain/www/Secure_Server
directory, or a subdirectory thereof.

Once you have put the files in there, it is only accessible via HTTPS (secure HTTP or HTTP over SSL).

The address (URL) for the private SSL WP (assuming you put it directly into the Secure_Server directory) would be

https://secure.domain.com/

(if you used the default "secure" subdomain, which is our recommended setup).

On the shared SSL site, the URL would be

https://xdomain.merchantquest.net

If I'm missing some of the details, or your setup is non-standard (not the usual setup method recommended by FutureQuest), then provide the actual domain names so we can look at the particulars and adjust the advice above.

Sheila,
Yes, I'm using the default setup for the secure domain. If I'm understanding you, that would put the entire WP installation in the secure domain. I'm not sure if that's totally necessary; there'd only be a few pages that would need to be secure. The rest could be insecure. Is there a way to bridge between the insecure and secure parts of the domain?

Well, with WP, I don't know. Most clients who run WP simply install it in a single directory, so that would be the easiest way, to put it all in the same directory and make the whole thing secure.

I've personally set up a self-written application so that it straddled both secure and non-secure parts of a site. It was a Python cgi script and I wrote special cookie handling code that passed the cookies back and forth. See, you have 2 different Apache daemons running the HTTP vs. HTTPS parts of your site, and they don't really know about each other. In order to stay logged in, I'm guessing WP requires sessions handled by cookies (I don't really know... I have not looked at the code for that app or read up on it in any way). Anyhow, sessions for HTTP and HTTPS are on different Apache daemons unless the app has been written to handle this somehow...?

I really don't know if it's possible.

Perhaps someone else here knows more about it? Or you could ask someone on the WP development team?

Even if we remapped your HTTPS to the /www directory on your private cert site (which we can't do for your shared cert site), and you were able to run both HTTP and HTTPS out of the same directory for WP, the cookies/sessions might not share properly across the two Apache daemons.