Support » Fixing WordPress » WordPress under HTTPS

  • We’d like to make our site,, run entirely on HTTPS, partly because Google now gives that configuration a boost, and partly because our users are (or want to be) in recovery from substance abuse.

    The plugin WordPress HTTPS is a year and a half out of date and isn’t certified to the current version of WP. Despite its high ratings this makes us nervous.

    I’ve set the home and siteurl fields to use https instead of http and this seems to work pretty generally, except for internal links where http is hard coded. I’ve been experimenting with protocol relative links and the change works well – things that came up http now come up https. But our site has about 100 pages and changing all those manually is daunting. Would it be feasible – and a good idea! – to make a global change in the database?? I can construct the SQL query but I’m not sure what tables I should change.

    I also gather that even if I do this there are bits and pieces in the Javascript and CSS that would still be insecure – is there a recommended plugin for that? Should I just go with WordPress HTTPS and hope it doesn’t break anything?

Viewing 10 replies - 1 through 10 (of 10 total)
  • Hedera,

    I have converted a couple of sites from HTTP to HTTPS, my own and Having used the WordPress HTTPS plugin on the latter site, I did not find it any help although this may be because it was conflicting with Woocommerce (which was forcing HTTP mode). If you update your .htaccess file to include a 301 redirect from HTTP to HTTPS this will have the same effect as using the WordPress HTTPS plugin (AFAIK).

    I would recommend the VelvetBlue plug-in to update your internal URLs. It handles the database changes for you, without the need to construct your own SQL statements.

    As you point out, you will need to go through the CSS and, possibly, Javascript files as well. I’m not aware of any wordpress plugins that will do this but if you download your site locally you will be able to search for any hard-coded URLs requiring update to HTTPS. The simplest way to check the state of your HTTPS status is to view the live site in Chrome. Any mixed content (ie HTTP + HTTPS) will be indicated by a Triangle in the address bar, ratehr than padlock symbol. Press F12 to brings up the Developer Tools window and check the Console tab. Any insecure content loaded over HTTP will be itemised in the console window and you can then pinpoint the source and ascertain whether its possible to load it over HTTPS (it may not be possible to load external, third-party content over HTTPS, depending on their mode of serving content: HTTP or HTTPS).

    Thanks for the suggestions, I’ll look into the VelvetBlue plugin. And I have access to a duplicate test copy of my site. I was coming to the same conclusion about the WordPress HTTPS plugin. I still really don’t want to have to go through all 100 pages one at a time…

    My testing has revealed, though, that my .htaccess file will have to have a conditional statement in it to exclude one whole page. We run a heavily used chat room (hosted by 123FlashChat for us); when the chat room page is https, the flash app doesn’t even try to load. We’ll probably have to go to the vendor and see if we can get new code for it; but I’m pretty sure we’ll have to exclude it from a general system https. Sigh. I just learned this yesterday and have yet to research how to do this.

    One question about the VelvetBlue plugin. What version of WordPress do you run it with? We are up to date at WordPress 3.9.2, but when I look at the VelvetBlue plugin, it says it’s only compatible up to WP 3.8.3. Are you running it with WP 3.9.2?

    According to their own FAQ, 123Flashchat does support HTTPS as of version 6.9.2 so it would be worthwhile doing some investigation as to what causes the crash – cross domain issues, perhaps ?

    With regards to the 301 redirects I am no authority on Apache directives but suggest you probably need a two step approach, first to point pages to HTTPS (bar the offending chatroom page) and secondly to force said page to HTTP. The directives you need are along the lines of:

    RewriteEngine on
    # If we're not already in HTTPS mode
    RewriteCond %{HTTPS} !=on
    # Exclude the page to be served via HTTP from the redirect
    RewriteCond %{REQUEST_URI} !^/mypage.php$ [NC]
    RewriteRule ^/?(.*)$1 [R=301,L]
    # Now force this page to HTTP
    RewriteCond %{HTTPS} !off
    # If page URI contains this query string
    RewriteCond %{REQUEST_URI} ^/mypage.php$ [NC]
    RewriteRule ^(.*)$$1 [R=301, L]

    It would be worthwhile checking out the HTTPS Wiki for examples. There may be a more efficient way to handle the redirects, for example omitting the conditional statement on the site-wide redirect to https://

    On VelvetBlue, I ran the plugin on the current version of WordPress (it may have been 3.9.1 at the time) without any issues. VelvetBlue performs a simple search and text replace on the DB so there are unlikley to be any issues, unless the database structure changes (unlikely) so I wouldn’t be too concerned that the compatibility status is showing as WP 3.8.3 in this instance.

    I have a green padlock on every page in Chrome, but FireFox still shows the “blocking content” shield. I have FireBug installed, and its console shows no “blocked content” errors, but it still shows the message.

    I ran VelvetBlue and still had an orange triangle, so I looked in the F12 error list and had 5 errors, 3 of which were local widgets displaying images. I recreated them in an https environment and the padlock turned green, even though the console still shows two “non-https” links:

    I have no idea where these are or how to fix them, but I suspect I’ll have to if I want people to use FireFox 🙁

    And you’re quite right about 123FlashChat. I have instructions from them on how to run the chat room under https. That’s next, then I’ll tackle and I really appreciate the help you’ve given me – thank you!

    I’ve found and eliminated the Superfish link – it was in one of my Chrome extensions. But I cannot find where that link is being called (see my last post), and I’ve actually used Windows Grep to search all 3 of the wp-* directories for the string, in both .php, .css, and .js files. I think it’s part of WordPress’ video handling tools. Anyone ever dealt with this?

    Are you logged out of WP Admin. when you check HTTPS status in Firefox ? You shouldn’t get different results between FF and Chrome. Can you share a sample page ?

    You can see this for yourself. The test home page is The results I describe should work on any public site page to a non-logged in user, which is what I’m concerned about.

    In Chrome the address bar shows a nice green padlock, just like the one on my Bank of America online banking page.

    In FireFox it has a gray padlock, and a little gray shield, which if you click on says, Firefox has blocked content that isn’t secure.

    I see this when not logged in in either browser.

    When I log in to the admin interface, the Chrome display doesn’t change. The shield goes away in Firefox when I display the dashboard but the padlock remains gray. It stays when I’m logged in, as long as I’m on a public page.

    The unsecured content is coming from one of your WP Plugins, FAQ-You which is pulling content from VimeoCDN around line 62 of your source code:

    <script src="" type="text/javascript"></script><script src=""></script>

    It doesn’t look like this plugin is actively supported anymore so I guess you need to decide whether to source an alternative.


    OK, I thought it might be associated with FAQ-You but I couldn’t be sure. I’ll talk to my colleagues about a replacement; we have a lot of FAQs, unfortunately. Can you recommend an alternative?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WordPress under HTTPS’ is closed to new replies.