While working on my first BuddyPress installation, I noticed a serious security issue where members are directed to a non-secure page to change their password or email. The default page is an http page, allowing unencrypted information to pass over the net.
This is obviously an issue, especially for your membership who put their trust in you to keep their information secure. If an application becomes compromised, via a security hole, hack, etc., this will reflect as thousands of breeches due to the enormous popularity of WordPress and BuddyPress. There is no reason to have your site be subject to this.
I originally began searching forums for a fix, but was coming up with “known issue” or no relevant information to the problem. I then expanded my search for an .htaccess fix, running into a number of great solutions, but nothing that will work with the naming structure of the settings page. The page is rewritten by the core program to put your your user name in-between the members and settings in the URL, not allowing a .htaccess rewrite to solve.
I then started searching for a plug-in, after looking over a dozen or so on various searches I found wordpress-https. This plug-in allows you secure any page on your site, much like others do, but also allows you to secure by directories as well. To install and correct the BuddyPress password and email settings page, follow the simple steps on the next page.