WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] HTTPS, SSL, WP_CONTENT_URL (23 posts)

  1. jeremysawesome
    Member
    Posted 4 years ago #

    Over the past several months I have run into a lot of different problems while trying to use HTTPS with WordPress.

    Using the HTTPS for WordPress plugin solves most issues. However, some issues are not resolved. The unresolved issues are generally related to plugins including js files or css files. Examples of this issue include the "Sociable", "WP-SpamFree", "NextGEN Gallery" and other plugins.

    Every time I see the issue in a plugin, it always occurs when the URL is built using WP_CONTENT_URL. Here are the relevant variable declarations from the above three plugins:

    Line 32 of sociable.php (version 3.5.2)
    $sociablepluginpath = WP_CONTENT_URL.'/plugins/'.plugin_basename(dirname(__FILE__)).'/';

    Line 6798 of wp-spamfree.php (version 2.1.0.9)
    $wpsf_plugin_url = WP_CONTENT_URL.'/plugins/'.plugin_basename(dirname(__FILE__));

    Line 210 of nggallery.php (version 1.3.6)
    define('NGGALLERY_URLPATH', WP_PLUGIN_URL . '/' . plugin_basename( dirname(__FILE__) ) . '/' );

    Now, NextGEN uses WP_PLUGIN_URL which is different from WP_CONTENT_URL but is built from WP_CONTENT_URL as shown below.

    Line 372 of wp-settings.php (version 2.8.5) defines WP_PLUGIN_URL as:
    define( 'WP_PLUGIN_URL', WP_CONTENT_URL . '/plugins' ); // full url, no trailing slash

    Now WP_CONTENT_URL is based on what the user defines as their "siteurl". That's why changing your 'siteurl' to https generally helps the plugins to work as well as the rest of WordPress. What if you don't want your entire blog to be https - just a piece of it, say the checkout page (if you use an ecommerce plugin)? A lot of users have issues with this.

    I suggest that plugin authors use wp_enqueue script when possible. If not possible I suggest that plugin authors at least check for HTTPS when defining their variables.

    Even using something as simple as this code would help many users with their HTTPS problems:
    $variablename = (empty($_SERVER['HTTPS'])) ? WP_CONTENT_URL.'mypluginpath' : str_replace("http://", "https://", WP_CONTENT_URL.'mypluginpath');

    If you have had problems with https on other plugins feel free to list them.

  2. brantgurga
    Member
    Posted 4 years ago #

    I have noticed such issues as well and have put in WordPress Trac bugs where applicable and notified plugin authors where applicable.

  3. 6XGate
    Member
    Posted 4 years ago #

    Even plug-ins that use wp_enqueue_script/wp_enqueue_style still exhibit this problem. It appears to be a major problem with the WordPress application itself as well. It seems like it would be an easy fix.

  4. Scott Kingsley Clark
    Member
    Posted 4 years ago #

    This issue is ouchies. Just saying, needs to be fixed.

  5. Mindraven
    Member
    Posted 4 years ago #

    I'm running into this problem as well. Just a single page needs to run under SSL not the entire wordpress installation, but some of the plugins just don't want to play nicely.

  6. Steph
    Member
    Posted 4 years ago #

    Hey All,

    This is my first post on the forums so this is the obligatory 'this is my first post' post.

    Anyway, I'm new to WordPress and have created just 2 sites. I currently have a 3rd WordPress commerce/CMS site in development and am highly bugged by the lack of usability around securing a WordPress site.

    Like many, I want to be able to secure certain pages within my site. I tried a couple of plugins but they were buggy. One rendered the site unusable. I use wp_list_pages() for my main navigation and wanted to be able to control the URL's it spits out so those to my shop, checkout or any page I specify, are specified as HTTPS.

    After some investigation, I found that the functions get_page_link() and _get_page_link() in link-template.php are used to create the URL's rendered by wp_list_pages(). The problem is that these functions use get_option('home'). If your blogs home page is not HTTPS, then obviously you're never going to get what you need unless you do some tweaking. And if it is, then you wont have a problem because you're whole site is using HTTPS.

    Anyway, my solution:

    1. Create a custom field called 'https' and set it to 'true' for any page you want to secured.

    2. Create a function in your themes functions.php file to modify the the string returned by get_option('home') on a per-page basis using the custom field setting above as a trigger.

    function bce_page_link($link, $id)
    {
    	return (get_post_meta($id, 'https', true)==="true" ? str_replace('http', 'https', $link) : $link);
    }

    3. Create a function to force HTTPS on the pages you've specified using the custom field as a trigger. Note below that the server variable I've used reflects my hosting environment. Normally this is just 'HTTPS'.

    function force_https()
    {
    	global $post;
    	if($post->post_type == 'page' && get_post_meta($post->ID, 'https', true)==="true")
    	{
    		if(isset($_SERVER["SITE_HTTPS"]) && $_SERVER["SITE_HTTPS"] === "false")
    		{
    			$strLocation='https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    			header("Location: $strLocation");
    			exit();
    		}
    	}
    }

    4. Hook the function from point 2 above into get_page_link() and _get_page_link() in your themes functions.php.

    add_filter('page_link', 'bce_page_link',1,2);
    add_filter('_page_link', 'bce_page_link',1,2);

    5. Hook the function from point 3 above using the get_header hook.

    add_filter('get_header', 'force_https');

    It seems to be working very nicely. And as far as I can tell, any plugin or piece of code that calls wp_list_pages() and by extension any WordPress function that calls get_page_link() and _get_page_link() will render your URL correctly. Then the force_https() function ensures it stays that way. At the very least, the force_https() function will redirect for you even if the URL that points to your secure page is somehow specified incorrectly or the user types it into the browser.

    Try it and let me know how it works for you guys.

  7. wy7
    Member
    Posted 4 years ago #

    Hi,
    I try it, the url https is ok, but on Firefox I have a message for a 'no complete security certificate' and Safari nothing padlock icon...

  8. Steph
    Member
    Posted 4 years ago #

    It sounds like a problem with your SSL certificate or SSL setup to me. This code simply enforces https in the specified URLs to initiate the request over HTTPS.

    Is your certificate shared or self-signed? Is your Linux config ok? What happens when you manually enter the URL (as https) into your browser without the fix applied? What is the exact error message from FF?

  9. ac33
    Member
    Posted 4 years ago #

    @scarydakis

    I only want some single pages with https. Those pages shall not and do not appear on the navigation menu.

    Questions:
    a- do I need to install any plugin? Which one?
    b- where do I define the ssl url?

    Thank you in advance.

  10. Steph
    Member
    Posted 4 years ago #

    Hey ac33,

    a. A plugin to do what exactly?
    b. What do you mean by "ssl url"?

    The URL of a page in WordPress can be changed on a page basis by modifying the permalink. So you can manipulate the URL like that. Then my code from above will switch on HTTPS for that page.

    NP.

  11. phycel
    Member
    Posted 3 years ago #

    @scarydakis

    Thank you for the useful code. It worked just fine making sure the one page I specified is ssl. But I'm still running into issues with plugins using get_option('siteurl') to reference their plugin css and js files. IE shows constant security errors when there are non-secure items. I really want to avoid hacking the plugins as it makes updating difficult.

    There are two plugins in my specific situation causing the issues, one being wp-facebox-gallery and the other wordtube.

    wp-facebox-gallery creates init functions to establish the root path and then uses $this->root to load the plugin scripts...

    function init() {
    		$this->home = get_option('home');
    		$this->site = get_option('siteurl');
    		$this->root = $this->site . '/wp-content/plugins/wp-facebox-gallery';

    I've tried several different things to look for the https in the post meta and possibly get the siteurl option to then return https, but my php skills are very limited and I'm not quite sure I understand exactly how to add this type of filter. Or, maybe a way to get the WP_CONTENT_URL to be https...

    Got any ideas? Thanks for your time and sharing the above code with us.

  12. Mvied
    Member
    Posted 3 years ago #

    I know this is an issue that many people are facing, so I came up with a very simple fix using PHP's built in output buffering. I'm currently in the process of releasing this fix as a plugin.

    Basically, the plugin looks at the source code after all other plugins and such have added what they're going to, and if the page is accessed via HTTPS, it finds any occurrence of the value of site_url (without https) and replaces it with https. I have tested the plugin on a few websites that have a lot of major plugins activated on them (WP Super Cache, Buddypress, etc.) and have not encountered any compatibility issues.

    I'm still waiting on the plugin to be approved, but if you'd like to give it a try, you can download it here.

  13. Mvied
    Member
    Posted 3 years ago #

    Oh, I did want to mention that my plugin isn't a 100% fix. It will rewrite any anchor tags to HTTPS as well, which may not be desired. But, if you don't care about that, then use it. The next version will assess that problem. The name of the plugin is WordPress HTTPS, so maybe by the time you read this, it will be up in the plugin repository.

  14. Mvied
    Member
    Posted 3 years ago #

    I've fixed the plugin to leave anchor tags alone and only change stylesheet link tags, images, and script tags.

    I did notice that when viewing a page on HTTPS, WordPress changes its siteurl to HTTPS so all the anchor tags and such get changed to HTTPS anyways. My plugin only fixes the elements not loaded with HTTPS, but as far as WordPress changing all the anchors to HTTPS, well, that's a whole 'nother problem. Maybe I will expand my plugin to fix that problem later. :P

  15. Mvied
    Member
    Posted 3 years ago #

    Here is the released plugin: http://wordpress.org/extend/plugins/wordpress-https/

    This has only been tested on a few environments, so I could really use some feedback on how it works for you. I'll be keeping an eye on the plugin as well as this topic (and others) to try to improve the plugin so that it is an ultimate solution to the problem. For now it only works on img, script, and link (stylesheet) tags. I'm sure there are other tags that would try to load insecure content such as object and embed and others. I'll address issues as they come.

  16. phycel
    Member
    Posted 3 years ago #

    Thanks Mvied! I defaulted to a rather undesirable workaround at the time just to get the job done, but I run into this problem often. I will definitely try your plugin out soon and provide feedback as needed. Contributions like this are always greatly appreciated! :)

  17. WraithKenny
    Member
    Posted 3 years ago #

    Plugins that enqueue scripts do so as the codex and the source code suggests. Unfortunately this means full urls.

    WordPress default scripts, since the location in known, passes relative urls, "/wp-includes/js/jquery/jquery.js". The solution is for plugins to do the same.

    Instead of http://www.example.com/wp-content/plugins/something/custom.js", pass "/wp-content/plugins/something/custom.js".

    This means that plugin authors that use WP_PLUGIN_URL and WP_CONTENT_URL should manually remove "http://www.example.com"

  18. WraithKenny
    Member
    Posted 3 years ago #

    Also, I believe the functions at http://codex.wordpress.org/Determining_Plugin_and_Content_Directories are sensitive to ssl. So using plugins_url() for example will return https:// links.

  19. Mvied
    Member
    Posted 3 years ago #

    Pretty much every function that builds URL's for WordPress is sensitive to SSL since 3.0.

    I'm not sure what function (if any) is used to build the URL's for links to other internal posts and pages, but if I can figure it out, I can add an option to WordPress HTTPS to stop WordPress from making all URL's HTTPS, using a simple filter.

    I've proven this by adding a filter to the site site_url function and replaced HTTPS with HTTP; however, the anchor tags are not built with this function (but JavaScript, CSS, etc. do use this function to build their URL's). If anybody knows what function it is and could tell me, that would be really helpful to a lot of people.

    If not, I'll eventually figure it out if it's possible or not. If it is, I'll add the functionality to my plugin.

  20. randym56
    Member
    Posted 3 years ago #

    I am so frustrated I could scream! After more than 20 hours of research and hacking I can't figure out how to force my site to use http:// and ONLY the checkout page to use https://.

    It seems with the upgrade to WordPress v3.01 I've lost the ability to use this custom code in the functions.php file in my theme folders:

    function force_https()
    {
    global $post;
    if($post->post_type == 'page' && get_post_meta($post->ID, 'https', true)==="true")
    {
    if(isset($_SERVER["SITE_HTTPS"]) && $_SERVER["SITE_HTTPS"] === "false")
    {
    $strLocation='https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    header("Location: $strLocation");
    exit();
    }
    }
    }

    add_filter('page_link', 'bce_page_link',1,2);
    add_filter('_page_link', 'bce_page_link',1,2);
    add_filter('get_header', 'force_https');

    Once the checkout page is accessed it leaves all other links as https:// - which makes the URI httpss:// on the checkout page the subsequent times it is attempted to be accessed.

    Any help on this issue (how to force all pages that don't have the custom variable https = true set back to http://.

    Thanks!

  21. Mvied
    Member
    Posted 3 years ago #

    Hey Randy,

    That little code snippet gave me exactly enough information to figure out how to disable that functionality in WordPress 3.0+. Thank you very much!

    I have now released WordPress HTTPS v1.0.

    I believe this will fix your problem. If not, let me know. This functionality has been requested a lot.

  22. Mvied
    Member
    Posted 3 years ago #

    For anyone wondering, the correct way to add scripts and stylesheets with a WordPress plugin is to use the plugins_url function.

    I used it like so in my plugin. It is sensitive to SSL.

    plugins_url('', __FILE__);

  23. Mvied
    Member
    Posted 3 years ago #

    I just realized that plugins_url can only be used that way in WordPress 2.8 or above. I've changed my plugin to use this code.

    if ( version_compare( get_bloginfo('version'), '2.8', '>=' ) ) {
     $this->plugin_url = plugins_url('', __FILE__);
    } else {
     $this->plugin_url = WP_PLUGIN_URL . '/' . plugin_basename(dirname(__FILE__));
    }

Topic Closed

This topic has been closed to new replies.

About this Topic