Secure cookies with HttpOnly, secure and use_only_cookies

Since version 2.0.2, Really Simple SSL pro and Really Simple SSL pro multisite contain a new feature which enables setting secure cookies by default. It uses the HttpOnly, secure and use_only_cookies parameters to make cookies more secure. Since Really Simple SSL helps you in securing your website by switching your site to SSL, we feel like making these changes to the plugin is a simple way in which we can contribute to the overall safety of your website.

Cookies are set by almost every website and are used for a lot of different things, like user tracking, affiliate marketing and authentication. Imagine having your users authentication cookies stolen by malicious actors. That’s something you’d want to avoid at all times and this addition to the pro plugin is something which helps in preventing just that.


The HttpOnly flag will tell the browser that this cookie can only be accessed by the server. The main benefit of this is that it prevents cross-site scripting (XSS). For example, this will prevent requests from malicious JavaScript files trying to steal cookies.


The secure parameter will make sure cookies are only sent over a secure SSL connection. This will prevent any cookies being sent over http://, thus securing cookies even more.


the use_only_cookies parameter will tell your website to only store session data in a cookie and not in another way. This prevents attacks involving passing session ids in URLs.


Really Simple SSL pro will set these parameters in your wp-config.php file. On most WordPress installations this file is writeable and Really Simple SSL will apply the changes automatically. If the file is not writeable, the plugin will show you which code to add so you can add it manually. If you choose to deactivate the plugin, the code will also be removed from the wp-config.php file.

Let us know if you have any questions in regards to this article!

Related Articles

  • Really Simple SSL Social 3.0

    Recently Really Simple SSL Social 3.0 has been released. The changes that have been made in version 3.0 have to do with the look and feel of the built-in sharing...
  • Really Simple SSL 2.5.20

    Today a minor update for Really Simple SSL was released. No major changes: New option: switch mixed content fixer hook In most sites the template_redirect hook works fine as hook...
  • Really Simple SSL and GDPR

    As a consequence of the upcoming new privacy regulations, the GDPR, some users have been asking if Really Simple SSL is compliant, or if the plugin or add-ons do any...
  • Really Simple SSL 2.5.25

    Today Really Simple SSL 2.5.25 has been released. This latest version of Really Simple SSL includes a number of minor fixes and has been tested with WordPress 4.9.4. A number...