Semi working SSL
-
Hello,
I’m wondering if a migration from one host to another can cause issues with this plugin? The URL is the same, the host is different. Are there any steps I can follow to make it secure again, if I have to uninstall – would I have to remove any tables from the database?
Version 7.0.6
– Plugin says SSL is activated.
– SSL Certificate is active and renewed.
– Frontend site shows up secure.
– Some aspects of the site still shows up as not secure, for an example the wp-admin login page, elementor editor(only sometimes) for quick examples.
– Phpmyadmin dashboard reports SSL isn’t used.
(if the database is supposed to be connected in sync with the website SSL I don’t know)
Really Simple SSL Settings (ON)
– Redirect 301 (for the time being)
– Mixed content fixer
– Mixed content fixer – back-end (since it was worse without)
Hardening Settings (ON)
– Hide WordPress version
– Prevent login feedback
– Disable directory browsing
– Disable user enumeration
– Block the username ‘admin’
– Block user registrations when login and display name are the same
Plugins
All plugins are updated to the latest versions except for
– WooCommerce
– WooCommerce Composite Products
– WooCommerce Product Add-ons
The last two has to be licensed before I can update WooCommerce.
Possible future plugin clash?
Will any of these plugins cause any issues with Really Simple SSL:
– Jetpack (albeit disabled)
– Wordfence (currently completely uninstalled, db tables and everything for the time being because of other reasons)
When Wordfence is re-installed – are there any settings I need to steer clear of to not cause issues?
Message from the Host
“SSL is activated and the traffic is secure. ” There are other aspects of security you can improve upon but that has nothing to do with the server nor SSL and is something you are in charge of.”
Backstory
I have not set up the WordPress installation nor installed the plugins – my current admin task is removing unused / redundant plugins installed by the previous admin & host upkeep before I can resume my other tasks. I have “simply” made the migration. I’d rather not display the page here because of other reasons even if it’s only seen by logged in users.-
This topic was modified 2 years, 8 months ago by
. Reason: Addendum
-
This topic was modified 2 years, 8 months ago by
-
This topic was modified 2 years, 8 months ago by
-
This topic was modified 2 years, 8 months ago by
-
This topic was modified 2 years, 8 months ago by
-
This topic was modified 2 years, 8 months ago by
-
@rogierlankhorst
Thanks a lot!
I’ve enabled .htaccess redirect however I took the “read instructions first” and did the changes that were only supposed to be done if the redirect results in a loop. (edited .htaccess & wp-config.php) I read it several times"you need to know how to remove it just in case"and still went through with it. I must be tired.
I can simply remove / add back the lines again, but is it harmful leaving it as it is – or are these changes undoing the whole process?
The /wp-admin login page is still showing up as “not secure”, at least in Firefox. (parts of this webiste is not secure such as images)
Best Regards,I “undid” the process. As in removed the top most line beneath <?php from wp-config.php and added back the three lines into .htaccess.
The mixed content (page is not secure) seems to be a constant on the login page though.
Microsoft Edge (this time)Mixed Content: The page at 'https://[redacted]/wp-login.php?redirect_to=https%3A%2F%2F[redacted]%2Fwp-admin%2F&reauth=1' was loaded over HTTPS, but requested an insecure favicon 'http://[redacted]/wp-content/uploads/2020/02/cropped-output-onlinepngtools-1-2-32x32.png'. This content should also be served over HTTPS.I’ve read around some and understood that there is a possibility that this ‘unsecure’ might only happen locally for me for some reason while not for others? I’ve really tried to get it working but I just can’t seem to figure out why the favicon is set to go over “http” rather than “https” in the site headers.
Something else that I’ve seen in the log that should be connected to RSSSL, is this how it’s supposed to be? If not, how can it be fixed? I’ve seen the folder and the.htaccesshas a line for it.[redacted].cc [Sun Jul 23 09:17:53.647219 2023] [core:info] [pid 27993:tid 139893132920576] [client 74.125.208.102:52890] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
[redacted].cc [Sun Jul 23 14:50:04.256397 2023] [core:info] [pid 11210:tid 139893141313280] [client 74.125.208.104:38800] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
[redacted].cc [Sun Jul 23 17:06:00.070582 2023] [core:info] [pid 47394:tid 139893200062208] [client 74.125.208.102:11680] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
Apologies for all these beginner questions.Hello @jarnovos,
Thank you kindly for assisting me with these questions.
Settings > General
WordPress URL
https://[redacted].cc
Site URL
https://[redacted].cc
1. Favicon uploaded with correct dimensions & filetype & new filename.
2. Cache cleared with WP-Rocket & browser cache flushed to the bone.
3. Really Simple SSL installed (settings listed up top)
4. I don’t have access to directly write to the root of my site – since I’m not yet comfortable using SSH I guess this is a problem. So I haven’t been able to put a favicon directly in the root to then manually load through a code snippet as shown in the site you linked.
Regarding .htaccess rules, there are two:
#1
Located right after “#BEGIN WP Rocket v3.14.2.1” at the top:#Begin Really Simple SSL Redirect<IfModule mod_rewrite.c>RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/ RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]<IfModule>
#End Really Simple SSL Redirect
#2
Located closer to the bottom:#BEGIN Really Simple SSL LETS ENCRYPT
RewriteRule ^.well-known/(.*)$ - [L]
#ENDReally Simple SSL LETS ENCRYPTHi @swmkii,
OK, to quickly summarize: SSL works correctly, just not on the login pages & back-end because of the favicon loading over
http://? If so, I would recommend trying if enabling the “Mixed content fixer – back-end” setting in RSSSL (Settings > SSL > “Settings” in the top menu bar > General) may already solve that issue.My best guess as to why this might’ve occurred, would be that there’s still a ‘hard-coded’ Home or Site URL with
http://in thewp-config.php. (https://wordpress.org/documentation/article/changing-the-site-url/#edit-wp-config-php)I’m not entirely sure as to what file this message might refer to, though:
AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-adviceHope it helps. Kind regards, Jarno
@jarnovos
Yes that’s correct. But I’ve seen the mixed content also affect the Elementor editor and it’s only being triggered by images (last seen yesterday).
The wp-config file does unfortunately not contain any hard coded http:// either. You can probably see why this confused me by the minute.
I’ve also hadMixed content fixer - back-endapplied since way back. But today I tried to apply theMixed content fixed init-hookas well just to humor myself, even though it’s supposed to be for front-end use.
This seems to have redeemed the issues for some reason, for now at least. I haven’t seen the mixed content warning on the wp-admin login page on any of my browsers. Hopefully this will somehow also extend to any other pages back/front-end.
So I guess the most annoying part is solved!
Regarding this error logAH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/traffic-advice
Is the “traffic-advice” not supposed to be in there?
This also appeared today[redacted].cc [Thu Jul 27 01:45:50.522440 2023] [core:info] [pid 31418:tid 139893082564352] [client 138.199.60.183:46034] AH00128: File does not exist: /data/7/3/73955e7d-281c-483a-8c3e-f1d87a9f775e/[redacted].cc/web/.well-known/pki-validation/cloud.php
Thanks!
The topic ‘Semi working SSL’ is closed to new replies.
