• Resolved prolitekeiran


    I have been trying to lock down the last of the “http” code on my page.

    I have found that there are two links that are generated under the CDATA that have hard http: links in them.

    Two instances of this:

    This is interfering with the https: loading of the website.

    Not only is this interfering with the way the site works, it also breaks normal “best practice” for url links. The best practice has been for years to use https: for hard links or better yet, to simply use “//”.

    Unfortunately, I haven’t been able to find anywhere within the code that actually references this.

    On another thread, it describes this as an issue with the I18n handling and is related to a huge amount of code bloat for no apparent reason.

    That thread was closed over two months ago and someone else pointed out that the http issue is a much bigger problem.

    Neither of these has been addressed, but I see that you have continued updating this plugin.

    I can live with a little bloat, but I cannot live with http: unsecure hard links in my page source.

    This needs to be fixed 2 months ago. I would consider this very high priority since it affects the secure/unsecure status of all sites that use this plugin and in turn will also be affecting their Google ranking. I have had people messaging my clients telling them that their site is not secure simply because I am using your plugin. This is 100% unacceptable.

    I did not build this plugin, but it took me less than half an hour to find the source of the problem. I am sure that the people who are involved in dev for this plugin should be able to fix this problem within just a few minutes.

    Please get this dealt with. The HTTP/HTTPS standard issue has been a problem for a long time and just because it works fine in Chrome, it does not mean that all browsers have the same sensitivity level.

    Please care for your code responsibly.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter prolitekeiran


    Just to follow up, I noticed that there were 13 instances of this problem in the Contact Form 7 Image Captcha plugin. I informed the developer a few hours before I wrote this post. He has already made the modifications from http to https within his code base and pushed it out as an update.

    My back end is showing that this was automatically updated 14 hours ago, which means he had this change published to the world within 3 hours of being notified of the problem.

    Excellent work on his part. He’s just one guy.

    You were informed of this problem 2 months and 2 weeks ago based on my search results in these forums. You have only two instances of hard links using http in your code base. You have 4 active developers on this project. You have published several updates since then. You have been reminded on these forums of the importance of not using hard HTTP links and why that’s a problem for your users.

    Why am I even having to write this?

    Plugin Support wfpeter


    Hi @prolitekeiran, thank-you for your further report on the http code being inserted.

    We are currently on Wordfence 7.5.4 and the fix for this is already scheduled as part of the 7.5.5 release, so whilst we don’t ever commit to exact release dates on the forums, this isn’t far away from being included.

    Thanks again,


    Thread Starter prolitekeiran


    That’s great news Peter.

    I have disabled the plugin temporarily on all sites I have been using it. I also use NinjaFirewall and Sucuri, so I’m sure it will be fine.

    Any idea when 7.5.5 will come out so I can come back to it? Is this a weekly update? biweekly? I’ll just make a reminder for myself.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘HTTP code in the CDATA’ is closed to new replies.