How To Secure Your Facebook Page Tab Content – The New Facebook Page SSL Requirement

by on September 19, 2011 · 45 comments

Facebook Page SSL for WordPressIn my last post, we talked about the Facebook HTTPS migration coming on October 1, and broke it down to understand what it means to you if you have custom Facebook Page Tabs on your Facebook Page. Then I introduced two options for meeting the Facebook requirements.

Let’s get into more detail on each of the options now.

Option A: Use a Free Shared SSL Certificate

Some hosting providers offer a Shared SSL Certificate that you can use for FREE. I know at least BlueHost and HostGator offer this, and many others probably do as well.

Shared SSL Certificates – a Video Walkthrough

And here is a step-by-step walkthrough of what’s in the video:
To set this up, you’ll need to go to the CPanel of your hosting account and get your username. This is usually on the left side of your CPanel interface once you log in and it looks something like this:
BlueHost CPanel Username

Once you have your username, you can make the secure URL to your content. My secure url looks like this:
(where smallbiz372 is the folder that this WordPress installation is in.)

If you are using SmallBiz to manage your Facebook Page content, go to your Facebook Page Tab, and click Edit Tab URL:

Edit Facebook Page Tab URL screenshot

The SmallBiz Facebook App allows you to edit the Tab URL

Now change your URLs in the SmallBiz Facebook App to use the https links instead of the http links:

Edit Facebook Page Tab URLs

Change your URLs from http to https

Finally, you’ll need to go into your WordPress General Settings and change your WordPress address and Site address too:

WordPress Site Address

Changing your WordPress address and Site address

That’s it – now your Facebook Page Tab content will be served via SSL and meet Facebook’s HTTPS migration requirements.

One caveat to this approach is that you’ll want to have a WordPress install just to manage the Facebook Page Tabs, since you don’t want the URL of your regular site to use the hosting provider’s shared URL. So you will have one WordPress installation for your website/blog, and one for your Facebook Page Tabs. Don’t worry – BlueHost and many other hosting providers let you install many WordPress installations on your single hosting account.

Option B: Install an SSL Certificate

If you are using BlueHost – which is my recommended hosting provider – you can install a dedicated SSL Certificate for $75 per year. (That’s $30/year for a Static IP address, which is required for SSL, and $45/year for the SSL certificate.) BlueHost will set the Certificate up for you so it is super easy. Other hosting providers may offer similar arrangements.

Installing a Dedicated SSL Certificate – Video Walkthrough

If you are using SmallBiz for your WordPress site, you can continue to manage both your website/blog content and your Facebook content from the same WordPress install using this method.

And here is a step-by-step walkthrough of what’s in the video:
Once you’ve installed the SSL Certificate, go to your Facebook Page Tab, and click Edit Tab URL:

Edit Facebook Page Tab URL screenshot

The SmallBiz Facebook App allows you to edit the Tab URL

Now change your URLs in the SmallBiz Facebook App to use the https links instead of the http links:

SmallBiz Facebook App Settings

Change your URLs from HTTP to HTTPS


If you are managing Facebook Pages for clients, you will need to get them to install an SSL Certificate on their sites as well.

Remember, this is a Facebook requirement so please don’t shoot the messenger! I’m just trying to help you make your content secure so you can keep serving your Facebook Custom Page Tabs when Facebook makes the change in October.

Good luck with this and let me know if you have any questions in the comments below!

SmallBiz Theme for WordPress

Looking for a way to manage your Facebook Page content from WordPress? Take a look at the SmallBiz WordPress Theme – including a Facebook App, touch-enabled Mobile landing pages, Solid SEO fundamentals, 26+ professionally designed header graphics, and 8 home page layouts!

Article by »

Don is an entrepreneur based in Silicon Valley. He founded Expand2Web and is the publisher of the Expand2Web Blog, and the GetFiveStars Customer Feedback and Reviews service.

Don has written 313 articles on Expand2Web

Author Connect » Twitter | | Facebook |

See my disclosure about advertising and affiliate links

{ 45 comments… read them below or add one }

Brian Burke September 19, 2011 at 4:05 pm

Interesting – what happens if we DONT secure it? do we lose our fanpage or are the contents (images etc) simply not viewable?


Hey Allan! October 21, 2011 at 11:17 am

Page displays an error like “501 (net::ERR_INSECURE_RESPONSE)” inside the app tab.


Don Campbell September 19, 2011 at 4:45 pm

Excellent question Brian.
Facebook doesn’t really say for sure. But my understanding is that the custom Tabs on your Facebook page will not show up if they are not secure.


Jody Gorran September 19, 2011 at 5:22 pm

Your explanation for the shared certificate was going vey well until the end when you said
“One caveat to this approach is that you’ll want to have a WordPress install just to manage the Facebook Page Tabs, since you don’t want the URL of your regular site to use the hosting provider’s shared URL. So you will have one WordPress installation for your website/blog, and one for your Facebook Page Tabs. Don’t worry – BlueHost and many other hosting providers let you install many WordPress installations on your single hosting account.”
I have no idea what or where I’m supposed to install another WP. What happens to the contact in my original? What does this mean? Can you expand your explanation on this final part?


Jody Gorran September 19, 2011 at 5:27 pm

Sorry. I meant to say “what happens to the content in my original”. I don’t really understand why you now need another wp installation or how to set it up so you do not lose anything in the original.


Jody Gorran September 19, 2011 at 5:45 pm

In continuing my review of what you said, it seems that in using the shared certificate, you will somehow need to clone your WP installation and somehow recreate it as a new installation with your original URL now that the original installation will use the “funky” secure url for Facebook needs. How do you do that? Can you instantly “clone it”.


Don Campbell September 19, 2011 at 6:20 pm

Hi Jody,
How are you using things now. Are you using SmallBiz as the theme for your WordPress blog, and to manage your custom Facebook Page Tag content too?

If so, the best thing to do is to get an SSL certificate for your domain, and continue to use that WordPress installation to manage both.

If you don’t want to/can’t do that, and decide to go the Shared SSL Cert route (Option A) then I recommend creating another WordPress install. Because you are going to need to change your WordPress URLs to the new secure ones and you don’t want to change all the URLs on your main site.

What hosting provider are you using?


Jody Gorran September 20, 2011 at 3:30 am

I am using the Small Biz theme on two sites for two WP blogs and to manage two Facebook Page Tags. I use Bluehost. Unfortunately, the two facebook pages have less than a half-dozen fans so whatever I am doing is not appreciated by my audience. I was trying to avoid paying an additional $75 per site for the SSL as the Facebook page is obvioulsy not working very well for me. Since you have yet to answer my question about cloning my sites for new installations if I use the shared SSL, I will assume that it is too complicated. I will not take the chance of screwing up my Blogs. I may simply give up the Facebook Page Tag.


Don Campbell September 20, 2011 at 10:00 am

Sorry if I didn’t answer your question directly – I was still trying to understand exactly what your situation was. I think I get it now.

It is not that hard to move your content over, but it’s hard to define the problem and explain what to do in a blog comment stream.

I’ll have Thomas contact you – we can help you out.


Jack September 23, 2011 at 7:10 am

I’m having a couple of problems after running through this process. I’m using my private SSL on my server. I installed a new instance of WP for my FB pages.

1. After putting my https: urls into the Facebook App. I get a correct screenshot of the new page showing. When I actually go to the Facebook page I get this error:


You don’t have permission to access /fbsecure/cflim/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8r DAV/2 mod_fcgid/2.3.6 FrontPage/ mod_bwlimited/1.4 mod_auth_passthrough/2.1 Server at Port 443

2. When I set my WP Address and Site Address in the WP General Settings page to the https urls. I get kicked out of my WP dashboard and it’s not letting me log back in, saying I have the wrong PW.

So, I’m not sure what I’m doing wrong, any suggestions?


Don Campbell September 23, 2011 at 9:00 am

Hi Jack,
Who is your hosting provider? We’ve seen this error a few times and in each case the person contacted their hosting provider and they changed a setting on the server and everything worked fine again. Can you try that and let me know if it helps?


Jack September 23, 2011 at 9:58 am

Don, problem 1 turned out to be as simple as clearing my Firefox cache. It turns out that it worked when I opened Explorer which clued me in.

Problem 2 was resolved when I changed the WordPress address (URL) in my General settings to http version of the site and left the Site address (URL) pointing to the https URL.



Muslim September 26, 2011 at 1:54 am

Hi Don,

You cleared all confusion… Thanks a lot man…

So after getting SSL from the hosting, we just have to enter
Secure Page Tab URL: for Facebook Page Tab
Secure Canvas URL: for Facebook App

That’s it… and all the existing pages and App will remain working… ?


Patrick September 26, 2011 at 12:19 pm

Hi Don,
My application and database live on separate servers. Would I need to install a cert on both servers or just the server hosting the app?


Don Campbell September 30, 2011 at 9:04 am

Hi Patrick,
All connections need to be secure for the content you are serving to your custom Facebook Page Tab. So you would need SSL for both. But you may be able to use Shared SSL for your database if your hosting provider supports it…


Mohamed Nazar September 26, 2011 at 11:02 pm

We need to enable facebook page tab SSL option for our website hosted with our own dedicated server. But my server provider is not providing free shared SSL. Please let me know is there any free SSL provider available without trial period.

Thank you,


Don Campbell September 30, 2011 at 9:05 am

Hi Mohamed,
I don’t know of anyone offering free SSL certs – I’ll keep my eyes open and post anything back here if I find it!


BrianM September 30, 2011 at 3:39 am


Thanks for the tutorial.

I work on a website that has an SSL certificate already installed. I have made some Facebook apps that I host on the same server as the website.

Do I simply add an ‘s’ to the end of the http in the URL of the apps? This seems too good to be true. I assumed I needed to move the files to a secure
directory on the server…

Thanks for your help



Don Campbell September 30, 2011 at 9:07 am

Yes, just add the “S”. However, if your page is referencing images or scripts using http: you may need to change those to https as well. See this great post on Mixed Content warnings.


Rick September 30, 2011 at 7:31 am

Hi Don,

Thank you for the easy to understand guide. One question though, do I need to change hard coded img src links to the SSL url? For instance I use the Small Biz theme and just html based pages for Fan pages. Will images with the unsecure url continue to show on my clients Facebook pages?



Don Campbell September 30, 2011 at 9:08 am

Hi Rick,
If the image references are “relative” then you will be OK (e.g. ../images/imagename.jpg.)

But if they are absolute and reference the image using http then they will need to be changed.


Suzanne September 30, 2011 at 2:15 pm

People who are viewing facebook from a non-secured connecting will not be able to see your fanpage tab. Still be able to see your wall.

Add a sub domain to your domain and use that on a separate wordpress.

Hope that helps.. I didnt read all the comments but wanted to summarize.


Marco Berrocal October 3, 2011 at 9:15 am

Troubles on the horizon 🙂

Glad I bumped across this, my profiles don’t work. Is this the only change that they are making or any other surprises I should be looking after?




Don Campbell October 3, 2011 at 10:39 am

Marco – they seem to like nasty surprises don’t they? We’re keeping an eye on the developer blog and I’ll be blogging about any changes coming…


Marco Berrocal October 3, 2011 at 12:42 pm

Absolutely. I was pretty upset when they dumped FBML. Thanks for the heads up on this article, I was a bit worried here :p


Mohamed Nazar October 3, 2011 at 10:50 pm


I used which 1 year trail.



meera October 10, 2011 at 3:34 am

This page was very useful, helped me secure my landing tab on my facebook page, and now i got it working.


sirin k October 12, 2011 at 11:48 pm

i got a question for you.i have changed my app to https and now its hosted only in https not in http.So i have changed my tab&Canvas URL to https and its working fine only for https and not showing anythng when taking with http.
Actually what i need is that a redirection to https from http when users accessing my page tab from http.
please help me if possible.

my app is hosted in LAMP.


Don Campbell October 22, 2011 at 7:02 am

If you have an SSL certificate installed on your domain then you should be able to access everything via http and https. I’m not sure I understand your question


Mike Issa October 21, 2011 at 11:37 pm


I have used a developer to create a splash page for me which works fine if i use this URL

however, if i select my page as a result of a search for ‘Anytime Fitness Mascot’ …then i dont have a splash page image….
seems the only difference is on has httpS and the other is just http

im new to this and would appricate your help



Don Campbell October 22, 2011 at 7:05 am

It looks like your SSL cert is not set up correctly. The error message says invalid security certificate.


Mike October 22, 2011 at 10:27 pm

Hi Don,

Thanks… Can you see what the problem is with my cert? I am using bluehost like the way you mentioned in your video.



Don Campbell November 18, 2011 at 5:00 pm

Hi Mike, when I go to that custom Facebook page, it tells me the page you are trying to load into the Facebook page is not valid. Do you still have a page at that address?


Mike October 22, 2011 at 10:42 pm



Do you think thats my problem?…


Kevin Townsend November 18, 2011 at 4:46 pm

Hey! Great video! It’s been such a help.

I have one quick question. I use Blue Host as my hosting provider and wordpress as CMS. I do not use the small biz them or have the app. My question is how to create another wordpress install in BlueHost? Do I need to pay for another domain?



Don Campbell November 18, 2011 at 5:01 pm

Hi Kevin,
You’re welcome!

You can just install a new WordPress in a sub-folder under your existing one, or on a new domain. When you go into SimpleScripts it will ask you where you want to install WordPress. I think you can install 100 sites like that on one BlueHost account.


Marco Berrocal November 18, 2011 at 9:03 pm

Follow up as I got these comments. Installing it on Dreamhost is a breeze. The cert is worth like $15 annually. Must pay for the dedicated IP though. What I did is set up a subdomain (of my own) and serve based on folders.\

Hope this helps.


Don Campbell November 18, 2011 at 9:44 pm

Thanks Marco – I haven’t had any reports from Dreamhost yet so this is great. I appreciate you sharing that with everyone here!


Kevin Zarycki January 10, 2012 at 9:01 pm

Hey there,

I am currently interning at Specs Howard School of Media Arts and my first task was to develop a Facebook splash page for the school and all other Facebook pages they have.

After doing some research I learned that I would have to obtain an SSL for their domain and subdomains. We accomplished that hurdle through the Bluehost website and now I am clueless as to why the page is still not working for users surfing securely…

The schools facebook is if you are running secure you will not see the splash page but if you aren’t you will. Is there anything else within the control panel I must do for this to recognize an SSL?


Gene Boggs January 26, 2012 at 11:42 am

Why am I getting post on my Profile page from cPanel, Powered by Apache, and showing that I posted it when I did not, nor do I know what it is. I’m also getting post from Mit Romney, saying that I support him, when I do not and that I posted it, when I did not. Help me out on this so I can block it or put a stop to it.


Don Campbell January 26, 2012 at 5:46 pm

Hi Gene,
I need more information to help you. What theme are you using and what FB App are you using to connect to your Facebook page? Can you give me URL to look at?


hskstudios March 14, 2012 at 12:34 am

I have a personal hosting account on NEXUS TECHNOLOGIES ,and today i called them to know that do they offer any shared hosting along with the package so they said that they have a https enabled on my website previously but if i wanted a dedicated ssl sertificate they i can buy one.
so i just wanted to know that will that shared ssl over their whole server,WORK for me or not?


Don Campbell March 14, 2012 at 8:52 am

Hi hskstudios,
I’m not familiar with that hosting provider, so there is no way for me to know for sure.

But it does work with HostGator and BlueHost, so it may work for them too by following the instructions in this blog post.


John January 16, 2014 at 12:56 pm

I’ve set the general settings for website w/shared url. but when applied, the screen turned to a black background with an abreviated dashboard menu. What do I do now?


Paul October 29, 2014 at 4:03 am

Hey Don, Thanks for the video.

I followed your instructions step by step up to the point where I put the new secure url into wordpress. After that, I was unable to access my site, got error 404 and had to call Bluehost to reset it from within the database. where did I go wrong? Really nervous to try that again.


Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: