Plugin Author
AITpro
(@aitpro)
I checked your site and it looks like you already figured out the issue/problem. See this forum topic for additional http to https help tips > https://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233
I have NOT figured out the problem.. BPS plugin is disabled atm.
I’ve seen that and it makes no difference .. something in BPS is forcing various scripts and css links to change from https to http and I have no clue where or why its happening.
Here is the strange part, if, IF you are logged in (as admin in my case) it usually works fine but end users/visitors see the messed up code and mixed content blocked scripts/css
Plugin Author
AITpro
(@aitpro)
hmm ok then the problem you are describing is most likely caused by whichever HTTPS plugin you are using. We have looked at several different HTTPS plugins and none of them are changing actual http database entries to https, which is not really necessary, but would explain the problem you are describing being logged in as an Admin vs Subscriber or not logged in. Unfortunately, the Mixed Content problem is common for everyone when they switch from http to https. Personal opinion is that Google forced folks to make the change to https and they could not automate a solution on their end so folks get stuck with having to do manual corrections on their websites. The good news is that switching to https will make your website much more secure and your website will load significantly faster.
Switching from http to https does not require a plugin and only requires simple httaccess rewrite code.
Do these steps:
1. Deactivate whichever https plugin you are using.
2. Use the https htaccess rewrite code and do the steps in this forum topic > https://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233
3. Scroll down in the BPS forum topic post (towards the bottom of the post) and look at the “important notes” and other additional help sections.
-
This reply was modified 6 years, 5 months ago by
AITpro.
Thanks for quick reply 🙂
We are not using a http > https plugin. Site was converted to https prior to using BPS (via database edits) all hard coded links as well as WP settinmghs set to use https.
htaccess has this in wp lop (still using bps generated htaccess file):
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
To me, it seems BPS is blocking or disallowing these scripts/css files/plugin links when its active.
Plugin Author
AITpro
(@aitpro)
Ah ok yeah that is what Let’s Encrypt does. For whatever reason Let’s Encrypt adds htaccess rewrite code redundantly everywhere throughout the root htaccess file. See this forum topic > https://forum.ait-pro.com/forums/topic/htaccess-code-insertions-causing-quarantines/. What is odd is that all that additional redundant htaccess rewriting code should not be necessary. Doing a rewrite from http to https is very simple thing to do that should take a few lines of htaccess code.
So what you probably need to do is to copy the Let’s Encrypt code to BPS Custom Code to save it permanently. I don’t believe it would be neccessary to copy every single instance of the Let’s Encrypt code to BPS Custom Code. Logically you should only need to copy the WP REWRITE LOOP section of htacces code to this BPS Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START, click the Save Root htacces File button and click the Root Folder BulletProof Mode Activate button.
I tried to do the custom code, but for some reason its not saving and/or not changing the htaccess file used when BPS is activated.
Plugin Author
AITpro
(@aitpro)
Sounds like a very common Mod Security problem > https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/. Log into your web host control panel and temporarily disable Mod Security.
wow, i don’t think that is a wise idea.. this is a shared server.. and it needs to be as secure as possible in that environment..
apparently your plugin is triggering multiple mod_sec rules.. perhaps you guys need to rework the code a bit?
(https://snag.gy/Zsorpd.jpg)
I tried to temp disable the affected mod_sec rules but there are a few too many to deal with..
I guess we will just have to remove this plugin as we can’t get the damn thing to work properly.
-
This reply was modified 6 years, 5 months ago by
PPNSteve. Reason: spelling
Plugin Author
AITpro
(@aitpro)
Yeah I hear what you are saying. Unfortunately since cPanel added the new Mod Security tool around January 2017 with default SecRules/SecFilters that break BPS, WordPress itself, many plugins and many themes there is really not much we can do. Ironically what Mod Security breaks in BPS is the security that BPS already provides and that Mod Security is applying. Simply just another poorly executed cPanel tool thing. cPanel has a history of doing this kind of thing, which is nuts because they are huge. Simply just bizarre of cPanel to assume that nothing in the universe exists besides cPanel.
-
This reply was modified 6 years, 5 months ago by AITpro.
-
This reply was modified 6 years, 5 months ago by AITpro.
I’ve been using cPanel’s mod_sec since I got this server some 5 yrs ago.. wasn’t broke (for the most part) using the default cPanel supplied rules.. so unless they have changed and auto-applied, it should be working normally.
Oh well .. gotta find some way to secure this WP install that doesn’t break the site.
Thanks for trying to help.
Plugin Author
AITpro
(@aitpro)
Yep, for that last 11 months we have seen a wide variety of problems with the new cPanel versions that include the new Mod Security tool feature. Maybe try Wordfence. wordfence offers decent website security, but nothing like BPS security. 😉
Hi,
Yeah I hear ya..
Ok I’ll look into it as well..
Plugin Author
AITpro
(@aitpro)
Assuming all questions have been answered – the thread has been resolved. If you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.
