Pro Sites: Security Warnings

My Upgrade page http://mysite.com/pro-sites is now resolving as an https (secure) page. This appears to have happened since the latest update to Pro Sites. Consequently it's giving security warnings on non-secure images (like the ShareThis bar).

Why the change? It seemed to work well before.

  • troykd
    • The Crimson Coder

    Turned off paypal pro in the settings and it went away (as expected).

    This appears to have come up with the last update. For clarification, I have an SSL Certificate installed on the server/domain and have an active PP pro account.

  • Aaron
    • CTO

    This is how it works. You need a cert for the main site to use pro. Nothing has changed there. Perhaps you had it in sandbox mode which doesn't require SSL?

    As far as what was fixed is the visit your site link after checking out was https which as you know throws an error if your cert is not wildcard. That was fixed in 3.0.7.

    As far as insecure resources, your theme and sometimes plugins have to be modified to properly support ssl. Or an easier thing what we did on edublogs is assign a custom page template to that page. Then we could just hardcode all the assets to https.

  • troykd
    • The Crimson Coder

    Hi Aaron,
    I have the cert installed and working.
    Not in sandbox
    Theme is Blogs MU

    This wasn't a problem until a few days ago and it really is distracting for any visitors. I wouldn't want to use the site as a user with the warnings. I started to try to make it work by making the images on the checkout page all https, which helped a lot but then realized that ALL pages were getting served secure after login and it created just large number of security warnings.

    Have you tested on a PP Pro site since last update?

    Thanks!

  • Aaron
    • CTO

    Yes. Optimizing for SSL is something you have to do yourself. Pro sites can't handle it as it usually means theme edits. Usually it's not practical to make every theme page ssl ready, which is why I recommended the page template. You need to make sure all assets are loaded https, and additionally that all links off of that page are http, not https. Any links that pro sites creates off the page are http.

    Usually that means hardcoding your header and footer as many plugins don't respect ssl when loading CSS and js. Also dynamic nav menus may use https links, so hardcoding fixes that. It generally a good idea to simplify checkout pages anyway, with a minimum of distractions and links away from the page.

  • troykd
    • The Crimson Coder

    Phil said this was an issue they identified a few days ago. It started a few days ago. This is something new which says it's not normal behavior. I would have seen this when I first started using PP pro not just now.

    It's not just checkout pages. Once logged in, the admin areas are also tossing the errors and many pages that should not be secure.

    Did you try PP Pro and the new pro sites update????

  • Aaron
    • CTO

    Phil said this was an issue they identified a few days ago. It started a few days ago.

    Yes, and was fixed in 3.0.7, the https link issue I stated above.

    Again, this is not an issue with the pro sites plugin. You have to follow my suggestions to optimize your theme.

    And yes we are using it on edublogs.org with no problems.

    If you need specific help with my suggestions you can provide a link to the page.

  • Aaron
    • CTO

    Took a look, and just as I said you need to make a page template for your checkout page. For users to get errors you have to be directing them to their subdomain with a https link. Make sure any links off that page, especially to their subdomain are http, not https.

    Best practice though would be to present them with very few links on that page though that would take them off of it.
    http://codex.wordpress.org/Pages#Creating_Your_Own_Page_Templates

  • troykd
    • The Crimson Coder

    Aaron, thanks for looking into that. I appreciate it.

    Doing that is beyond my skill level at this time. I did find what appears to be a work around.

    I installed the WordPress https plugin. Checked the new 'force ssl' box on the checkout page. It was still showing not completely not secure. I then deactivated the Slick Social Share Buttons plugin. Now it's showing secure in all browsers. The http links are staying http too.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.