WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
Live traffic is using https (10 posts)

  1. miguelpinheiro
    Member
    Posted 5 months ago #

    Hi,

    I have set up https only for admin tasks, but I have noticed the code generated by Wordfence to get live traffic info is using https too. Like that:

    script type="text/javascript">var src="https://site1379293681.websiteseguro.com/Site/wordpress/wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=CE34408FD3768FAC678EF15DF884D7D3"; if(window.location.protocol == "https:"){ src = src.replace("http:", "https:"); } var wfHTImg = new Image();  wfHTImg.src=src;</script>

    I don't know if this behavior is by design, but I will have to disable "Live Traffic View" option in order to speed load page times.

    I am wondering if I did something wrong or if I can fix it.

    Take a look at http://www2.asbacsalvador.com.br/

    wordfence 4.0.3

    Thanks in advance

    https://wordpress.org/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    I'm not sure what problem you're seeing here. To me it makes sense to use HTTPS to track traffic. And yes we do recommend disabling live traffic if you're running a slow server. Help me understand what the issue is.

    Regards,

    Mark.

  3. miguelpinheiro
    Member
    Posted 5 months ago #

    Mark,
    I see what you are saying, but I disagree. I have three reasons for that (average user, best pratices and performance). I will focus on the first one, but if you would like I can explain all.

    If someone implements https, he or she must be prepared do deal with certificate problems, pay attention on expiration dates and check browsers support. In fact, most browsers will alert the user when something is not as expected. To avoid problems like that, I prefer https on my side (wordpress panel) leaving http to the average user.
    In my case, wordfence is getting live traffic info using https while the whole site is using http. It is not a bug. It´s more like a feature request.

    Wordfence is a 'must use' plugin and I thank you for this wonderful work.

    Miguel

  4. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    Miguel I'm sorry but I didn't understand your original post. I've re-read it now and your second post and I understand what you're saying.

    Investigating this now...

  5. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    OK, you were absolutely right. We are using the function admin_url() in WordPress to generate the URL we use for logging humans. So what I've done is I've kept the code the same, but I'm stripping out the scheme prefix of the URL so it ends up looking like:

    //yoursite.com/...logHuman....

    This is a perfectly valid URL and it means it's relative to the current scheme. So it will work great if you're using HTTP or HTTPS and will automatically pick the correct scheme.

    This will go out with the next release.

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

  6. miguelpinheiro
    Member
    Posted 5 months ago #

    Hi Mark,

    If you don't mind, I want to help with the solution too.
    Look, I am very happy you pay attention to my words.

    If I understood right you will take admin_url() and will strip out "https" from the beginning.

    I feel if you help me this way you may create problems in other wordfence installations.

    Look at my case
    admin url
    https://site1379293681.websiteseguro.com/Site/wordpress/wp-admin
    site url
    http://www2.asbacsalvador.com.br/
    not valid

    http://site1379293681.websiteseguro.com
    http://site1379293681.websiteseguro.com/Site
    http://site1379293681.websiteseguro.com/Site/wordpress

    Let me know if I understood wrongly.

    Regards,
    Miguel

  7. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    How can a public visitor access the /wp-admin/admin-ajax.php script?

    This script is used for all public and admin AJAX calls. So if it's not accessible it means that any plugins or themes on the site that provide AJAX functions to non-admin (unregistered) users won't work.

    Regards,

    Mark.

  8. miguelpinheiro
    Member
    Posted 5 months ago #

    Mark,

    A public visitor can access the/wp-admin/admin-ajax.php with the right url for http.

    Because your question, I looked at admin_url() reference -
    http://codex.wordpress.org/Function_Reference/admin_url and now I have a suggestion to you:

    public static function wp_head(){
                    $URL      = admin_url('admin-ajax.php?action=wordfence_logHuman&hid=' . wfUtils::encrypt(self::$hitID));
                    $URL_HTTP = admin_url('admin-ajax.php?action=wordfence_logHuman&hid=' . wfUtils::encrypt(self::$hitID),'http');
                    echo '<script type="text/javascript">var src="' . $URL . '"; if(window.location.protocol == "http:"){ src="' . $URL_HTTP . '"; } if(window.location.protocol == "https:"){ src = src.replace("http:", "https:"); } var wfHTImg = new Image();  wfHTImg.src=src;</script>';
            }

    This code preserves the old behavior, but changes the resulting URL when the protocol is http.

    Hope this helps. Let me know.

    Miguel

  9. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    Thanks Miguel.

    If the user is not using SSL for admin then $URL and $URL_HTTP will be the same I think.

    In that case if a part of the site is accessed using HTTPS and there is no HTTPS for the admin area, then this wont' work.

    But I think that is a rare case - a site that is using HTTPS publicly and no HTTPS for the admin area.

    However I'm inclined to go with the following logic:

    If the public page is HTTP then access admin-ajax.php using HTTP.

    If the public page is HTTPS then access the admin-ajax.php using HTTPS.

    The URL should be generated using the admin_url() function.

    If a site is not compatible with this setup then it's also not going to be compatible with many other plugins that use AJAX.

    So the code would look like this:


    public static function wp_head(){
    $URL = admin_url('admin-ajax.php?action=wordfence_logHuman&hid=' . wfUtils::encrypt(self::$hitID));
    $URL = preg_replace('/^https?:/i', '', $URL);
    echo '<script type="text/javascript">var src="' . $URL . '"; var wfHTImg = new Image(); wfHTImg.src=src;</script>';
    }

    Which generates javascript in the public pages that looks like this:


    var src="//test1.com/wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=8EFC33D2CB5D1C0C6F6ED3FC6C9168DC"; var wfHTImg = new Image(); wfHTImg.src=src;

    As you can see the var src= URL is a scheme relative URL that would use either HTTP or HTTPS depending on how the page is being accessed.

    Would this work for your config?

  10. miguelpinheiro
    Member
    Posted 5 months ago #

    Hi Mark,

    I am afraid this don't work for my config.

    This is because when using https my domain name is site1379293681.websiteseguro.com, but when using http my domain name is different - site1379293681.hospedagemdesites.ws.

    I think you should use a var like $URL_HTTP as I have suggested.

    In my config
    $URL is
    https://site1379293681.websiteseguro.com/Site/wordpress/wp-admin
    $URL_HTTP is
    http://site1379293681.hospedagemdesites.ws/Site/wordpress/wp-admin

    Thanks,
    Miguel

Reply

You must log in to post.

About this Plugin

About this Topic

Tags