WordPress.org

Ready to get started?Download WordPress

Forums

SSL enabled by default for login/admin; how to remove? (17 posts)

  1. refactored
    Member
    Posted 5 years ago #

    First time using WP, and I've simply followed the 5min install: unzipped to root directory, set up the DB, went through the "install" script, and when it said log-in I noticed that it was trying to post to https://mydomain/wp-login.php.

    I've been through everything and can't work out how to disable https for login & the admin section.

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    I don't see how that could happen unless you specifically turned it on.

    Look in the wp-config.php file. See if you see anything setting "FORCE_SSL" or similar to "true". To turn it off, simply change it to false.

  3. refactored
    Member
    Posted 5 years ago #

    There's nothing in the wp-config file that's not there by default. This is a completely clean install, downloaded directly from wordpress.org.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Well, then, that doesn't make any sense. WordPress does not force SSL by default. But something somewhere is doing this. Your task is now to figure out what that is.

    We probably can't help you much with this task, since we don't have access to your site.

  5. refactored
    Member
    Posted 5 years ago #

    You can easily replicate this yourself:

    # cd /var/www
    # curl http://wordpress.org/latest.tar.gz | tar zx
    # mv wordpress mycompanyblog

    ...then point your webserver to it, and go through the 5min install instructions. That's all I did! 4 times I've done it now, wiping everything - even the server, since this is a completely fresh install on an Amazon EC2 server. Still no luck.

    Please note:
    - I'm NOT changing any variables/options/settings by hand; all done through the install script.
    - I'm NOT editing any database tables, rows, or data.
    - I'm NOT modifying any source code in the PHP files.

    I honestly can't believe this; I could understand if I were messing with settings during the install, but I'm not. Download, unzip, point webserver at source, follow instructions... FAIL.

  6. refactored
    Member
    Posted 5 years ago #

    I've even tried 2.7.1 - same deal: the form on /wp-login.php automatically wants to post via https. Same install method; download, unzip, point webserver at space, visit domain and go through the online setup instructions... gives me the password after completion, then the login form wants to post via https!

  7. refactored
    Member
    Posted 5 years ago #

    It also seems that all links/resources want to be served by https. Nothing works as expected! Seriously, this needs sorting.

  8. refactored
    Member
    Posted 5 years ago #

    Please note; I'm not using Apache. I'm using nginx. This shouldn't matter as wp is just another PHP app, unless it checks/modifies the apache config automatically during the setup procedure. If it does, then its a naughty, naughty little application and should be scolded.

  9. Samuel B
    moderator
    Posted 5 years ago #

    otto42 is correct - wordpress does not do this by default - something else is up

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    It also seems that all links/resources want to be served by https. Nothing works as expected! Seriously, this needs sorting.

    See, now that can't possibly be WordPress, because other resources like images and such are not served up by WordPress. They're straight thru the webserver. So this is a product of your webserver configuration, somehow.

  11. refactored
    Member
    Posted 5 years ago #

    Sorry, I failed to express myself correctly: the HTML generated has https:// links for everything. Archive, images, etc. Checking the http headers for theme images requested in the CSS shows PHP *redirects* to https. PHP wouldn't even be part of the headers if nginx was redirecting.

    The odd thing is that this doesn't happen on IIS. Just nginx. Here's what's going on:

    # cd /var/www
    # curl http://wordpress.org/latest.tar.gz | tar zx
    # mv wordpress mycompanyblog
    # cat /etc/nginx/vhosts/mycompanyblog
    server {
    server_name mycompanyblog.tld;
    root /var/www/mycompanyblog;
    index index.php;
    location / {
    try_files $uri @wordpress;
    }
    location @wordpress {
    rewrite ^ /index.php?q=$uri last;
    }
    location ~ \.php($|/) {
    include conf/php-fcgi.conf;
    }
    }
    # service nginx restart

    Nothing crazy there, and I've hosted hundreds of sites with Nginx+PHP so I have some idea of what I'm doing.

    The links in the HTML source after going through the install look like this: https://mycompanyblog.tld/?m=200907

    I'm at a complete loss.

  12. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Did you type https into the two URL's in the setup or in the Settings->General screen? It uses those settings to build any of the internal URLs.

  13. Stevan Bajic
    Member
    Posted 5 years ago #

    You probably have in your fastcgi_params the following line:
    fastcgi_param HTTPS on;

    Remove that line and things should work as expected.

  14. Douglas

    Posted 5 years ago #

    Stevan has a good point. If you didn't set it to do this in WordPress, chances are that it's a server level configuration that needs to be changed.

  15. danielbair
    Member
    Posted 4 years ago #

    This is happening to me too, and having the css and images in https while the page was loaded in http is very annoying. It breaks ajax and such. I NEVER specified https during installation. I can't find any https in the database or config files. If I disable https on this vhost the problem still exists, but now the css and images can't load! This is on an Apache2/PHP5/MySQL5 server. (I also installed to a vhost that did not have https and no problem.) Function is_ssl() returns true everytime the page is loaded through http or https.

  16. joelbair
    Member
    Posted 4 years ago #

    Solved - https html links added on a non-https vhost
    by correcting the logic in is_ssl()

    (Red Hat 5) Apache 2.2.x \w mod_php-5.2.11

    -- lines 3040 - 3047 of ./wp-includes/functions.php

    function is_ssl() {
            if ( isset($_SERVER['HTTPS']) ) {
                    #if ( 'on' == strtolower($_SERVER['HTTPS']) )
                            return true;
                    #if ( '1' == $_SERVER['HTTPS'] )
                    #       return true;
            #} elseif ( isset($_SERVER['SERVER_PORT']) && ( '443' == $_SERVER['SERVER_PORT'] ) ) {
            #       return true;
            }
            return false;
    }

    http://php.net/manual/en/reserved.variables.server.php

    'HTTPS'
    Set to a non-empty value if the script was queried through the HTTPS protocol.

    Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.

    -- looks like they develop WP on IIS and have developed a working method for IIS ISAPI **only. In either case(Apache or IIS) the global is undefined unless we are accessed via an https://hostname

  17. danielbair
    Member
    Posted 4 years ago #

    http://www.chrissearle.org/blog/technical/apache2_namevirtualhosts_ssl_and_server_port

    This is what is happening and why is_ssl() breaks on some configurations.
    Testing $_SERVER['SERVER_PORT'] is not reliable, but testing whether $_SERVER['HTTPS'] is set does work.

    I do hope that the WordPress support team and programmers will take note of this and do something about this issue, because it was very hard to find this support topic and most of those giving answers were not helpful.

Topic Closed

This topic has been closed to new replies.

About this Topic