[resolved] Admin (attempting) redirect to HTTPS (8 posts)

  1. Over the last 3 weeks or so, several clients and I have all experienced an intermittent issue, where when publishing/updating, when navigating between pages of dashboard, sometimes even when just trying to go to wp-login, the site attempts to use https, and so gives insecure content warnings because there is no SSL. This has happened on more than a dozen sites.

    At first, this was happening in a more active hosting account, where several sites DO have SSLs, and I thought there might be an SNI issue going on. But in the last few days, I have had it occur in another hosting account where there is not SSL present.

    I've tried to monitor my error logs for when this is happening, and up until this morning, I thought this was related to the https redirect:

    [Wed Jun 04 15:32:15 2014] [error] [client] ModSecurity: Warning. Match of "rx ^POST$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod_security/custom/wpbrute.conf"] [line "6"] [hostname "fumsdrl.org"] [uri "/wp-login.php"] [unique_id "U4@eb826sAwAAGGLDbEAAACS"]
    [Wed Jun 04 15:32:16 2014] [error] [client] ModSecurity: Warning. Match of "rx ^POST$" against "REQUEST_METHOD" required. [file "/etc/apache2/mod_security/custom/wpbrute.conf"] [line "11"] [hostname "fumsdrl.org"] [uri "/wp-login.php"] [unique_id "U4@eb826sAwAAGGLDbEAAACS"]

    I'm not sure what this error is, but it seemed related to security. I had been using WordFence, so as a test, I deactivated WordFence, and installed Login Lockdown. I'm still getting these errors. And these errors are happening much more frequently than the https redirect.

    Also, this morning, when I had a redirect instance, I couldn't find an error in the log related to that domain. As a test, I deactivated Login Lockdown too, and I am still getting these errors without any security plugin active. I'm still not sure what is causing these errors, but I'm thinking that they are totally unrelated to my https redirect.

    I wondered if the redirect was somehow related to sessions prematurely ending, but the redirect doesn't seem to be trying to go to a login page, just an https version of the dashboard page.

    The weird thing is this seems so intermittent-- I can be working just fine, navigating through the dash, making updates, then all of a sudden, an insecure content warning because https tried to be invoked. There doesn't seem to be any pattern to it.

    Then last night, I had an email from a client that their site from the front was giving insecure content warnings. No SSL on the site, no attempted dashboard access for this client.

    I've hunted through plugins looking for https, tried some deactivations, tried to look at plugins deployed on affected & non-affected sites, but I'm not finding much. Of course, because the issue is intermittent, it's hard to know if I'm finding a solution.

    Has anyone seen this sort of thing before?

    And ideas about focus areas for troubleshooting?

    If I keep coming up empty for solutions, would a possible workaround be forcing http in the htaccess like this?

    RewriteEngine On
    RewriteCond %{HTTPS} on
    RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  2. Just remembered that I switched sites in both of these hosting accounts to fastcgi about a month ago. Any change that fastcgi is a factor here?

  3. holmpage
    Posted 1 year ago #

    I'm having a very similar problem as you describe on MediaTemple GS. Have you learned anything more about the problem?

  4. Dave
    Posted 1 year ago #

    Any further updates on this? Same Problem here in MediaTemple GS some servers with FastCGI and some without. I want to know what is causing this or a workaround like the htaccess solution recommended above.

  5. It's been a while back, but I'm pretty sure that changing the PHP version from FastCGI to "regular" PHP solved this issue. It's not happening for me anymore.

  6. theevent
    Posted 10 months ago #

    Apologies for resurrecting an old thread, but I'm having this exact same issue, with identical errors in my logs. I'm also on Media Temple Grid. I disabled fastcgi about two weeks ago after initially finding this thread, but I'm still getting 502 Bad Gateways triggered in the WordPress Admin area by publishing posts, updating plugins, or simply by clicking around to different areas of the admin.

    The 502s are intermittent, but they seem to be getting more frequent.

    Did anyone else come up with any solutions besides disabling fastcgi? I've been trying to fix this for weeks!

    Thank you.

  7. @theevent: No, the fastcgi disable fixed my issue.

    Your best bet would be to start a new support request, since this old one might not get looked at much. Also, be sure to include your .htaccess file when you post.

  8. theevent
    Posted 10 months ago #

    Hi Bet,

    Thanks so much for taking the time to reply.

    I started a new thread yesterday afternoon:


    It appears that it's a server configuration problem. Last time I called they told me the problem was on my end. It would appear that's not the case, so I will be trying to get it sorted today. The last time I called they offered to turn off their "wpbrute.conf", but did not recommend it. I will ask them to do this today and perhaps that will rectify the problem and I will implement my own additional security measures.

    I will come back and report on what fixed my problem in case others find this thread in the future, as it sounds like a few of us have experienced this.

    I appreciate your reply. Thanks!

Topic Closed

This topic has been closed to new replies.

About this Topic