Prosites when user creates a site, the link to their site force SSL and bring up a security warning

I am just about to launch my site to the public and thought I would do a quick run through of the sign up process to check everything works correctly.

One big issue is that when users sign up for a site (regardless of whether it's paid or free) they are shown a page that says "Finalizing your site..." and the links on this page to the new site force https - so when the user clicks on the link, they are presented with an "Unsecured connection" error page - this really doesn't give my customers confidence in me.

I think the issue is that I use stripe so therefore, the checkout page must use SSL.

How can we workaround this issue?

  • Adam Czajczyk

    Hello Samuel,

    I hope you're well today and thank you for your question!

    The Pro Sites plugin does not enforce any protocol by default, instead it follows the one that's used for main site. Since your "pro sites" (e.g. select a plan) page is served over SSL, the link presented to the user will also follow that setting (will be "https://").

    There's no "out of the box" solution to re-solve this but I think the workaround given below should help here. Take a look at this code please:

    add_action( 'wp_footer', 'redirect_without_ssl' );
    function redirect_without_ssl() {
    	?>
    	<script type="text/javascript">
    		jQuery(document).ready(function ($) {
    			var main_site = 'YOUR_DOMAIN_HERE';
    			$('a').each(function () {
    				var domain = extractDomain($(this).attr('href'));
    				//check of this is subdomain
    				if (domain && domain != main_site && domain.indexOf(main_site)) {
    					$(this).attr('href', $(this).attr('href').replace('https://', 'http://'));
    				}
    			});
    
    			function extractDomain(url) {
    				if(url == undefined){
    					return false;
    				}
    				var domain;
    				//find & remove protocol (http, ftp, etc.) and get domain
    				if (url.indexOf("://") > -1) {
    					domain = url.split('/')[2];
    				}
    				else {
    					domain = url.split('/')[0];
    				}
    
    				//find & remove port number
    				domain = domain.split(':')[0];
    
    				return domain;
    			}
    		})
    	</script>
    	<?php
    }

    It should scan all URL's on the site the user is currently viewing (regardless whether it's a Pro Site site or any other site) and in case it finds an URL that points to a sub-domain of your setup and includes https://, it replaces "https://" with "http://".

    To give it a try please:
    - first, replace "YOUR_DOMAIN_HERE" with your domain name (do not use "http://" and "https://" prefixes, just a domain name like "yourdomain.com")
    - second, put the code at the end of "functions.php" file of your main site's current theme

    In case it didn't work or broke the site in anyway, you may safely remove the code from a file and it should all go back to current state.

    Let me know please if it helped!
    Best regards,
    Adam

  • Samuel

    Hi Adam,
    Thanks for your reply - unfortunately the script didn't work, when a blog is created, the user is still presented with a link to their admin panel with https in the url - thus leading them to an unsecured page.

    I made a screencast video of a test sign up so you can see what I mean - https://drive.google.com/file/d/0Bz7QPMwRx89ZTUxTa1ZvMEg0djA/view

    Surely I'm not the only one experiencing this problem? I'm sure it's down to the fact that I use stripe with ProSites and therefore SSL is forced on the checkout page (I checked, and there is an option under Prosites Payent Gateways > Stripe which forces SSL in order for Stripe to be in live mode).

    Any other thoughts - really need this fixed as I'm due to launch this week.
    Sam

  • Milan

    Hello @sam69,

    Hope you are doing well today. :slight_smile:

    I think issue on your end is that text of link is still containing https:// in it. So to replace https:// to http:// in link text too, use this snippet of Adam's which I've modified a bit more.

    add_action( 'wp_footer', 'redirect_without_ssl' );
    function redirect_without_ssl() {
    	?>
    	<script type="text/javascript">
    		jQuery(document).ready(function ($) {
    			var main_site = 'YOUR_DOMAIN_HERE';
    			$('a').each(function () {
    				var domain = extractDomain($(this).attr('href'));
    				//check of this is subdomain
    				if (domain && domain != main_site && domain.indexOf(main_site)) {
    					$(this).attr('href', $(this).attr('href').replace('https://', 'http://'));
    					$(this).text( $(this).text().replace('https://', 'http://') );
    				}
    			});
    
    			function extractDomain(url) {
    				if(url == undefined){
    					return false;
    				}
    				var domain;
    				//find & remove protocol (http, ftp, etc.) and get domain
    				if (url.indexOf("://") > -1) {
    					domain = url.split('/')[2];
    				}
    				else {
    					domain = url.split('/')[0];
    				}
    
    				//find & remove port number
    				domain = domain.split(':')[0];
    
    				return domain;
    			}
    		})
    	</script>
    	<?php
    }

    Let me know it goes for you. :slight_smile:

    Cheers,
    Milan

  • Milan

    Hello @sam69,

    Hope you are doing well and thanks for granting us support staff access to your site. :slight_smile:

    I can't find any snippet manager plugin installed on your end so seems like you have pasted above snippet in your theme's functions.php file or what ?

    Please tell me where do you have pasted above snippet and send me your ftp and wp admin details so that I can test well. :slight_smile:

    To send those data confidentially, please go to our secure contact form here,
    https://premium.wpmudev.org/contact/

    Select "I have a different question" for your topic - this and the subject line ensure that it gets assigned to me.

    Send in:

    Subject: "Attn: Milan Savaliya"
    - WordPress admin username
    - WordPress admin password
    - Login url
    - FTP credentials (host/username/password)
    - Link back to this thread for reference
    - Any other relevant urls

    Cheers,
    Milan

  • Samuel

    Hi @milansavaliyaz,
    Did you have any luck finding a solution to this issue? Further to my issue, I've noticed that when I click on my checkout page (skizzar.com/your-account) Pro Sites forces https (due to stripe) but then all menu links and also links to the dashboard also contain https too which results in broken images and unsecure web page notifications for my users.

    Here is a screenshot of my homepage when returning from my checkout page

  • Samuel

    Hi Adam,
    This does provide some sort of work around, in that it loads images and resources on https pages - however, it doesn't solve the bigger issues here that are:
    1) When user creates their site, the links on the "Finalizing your site" page are https links
    2) When clicking on the checkout it is served over https (as it should be since stripe payments are taken), but then when the user navigates to another page (such as going back to the homepage) that is then served over https also - it should just be the checkout page that is secure.

    Any chance this issue might get fixed in prosites itself soon?

    • Samuel

      Hi Adam Czajczyk and @milansavaliyaz,
      Once again, thanks for your ongoing support with this prosites issue. I have managed to hack together a fix for one of the issues i'm having by creating the following mu plugin:

      add_action( 'template_redirect', 'fb_ssl_template_redirect', 1 );
      function fb_ssl_template_redirect() {
      
              if ( is_page( 'your-account' ) && ! is_ssl() ) {
      
                  if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                      wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']), 301 );
                      exit();
                  } else {
                      wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                      exit();
                  }
              } else if ( !is_page( 'your-account' ) && is_ssl() && !is_admin() ) {
      
                  if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
                      wp_redirect(preg_replace('|^https://|', 'http://', $_SERVER['REQUEST_URI']), 301 );
                      exit();
                  } else {
                      wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
                      exit();
                  }
              }
      }

      This forces http for any pages that aren't 'your-account' i.e. the checkout.

      However, this still doesn't fix the issue of the links on the Finalizing Your Site page - these are still https links. As a temporary solution I have decided to disable the stripe payment gateway as this is the root of the problem and will at least allow me to launch to the public in the morning. However, this is frustrating as a) I have purchased an SSL certificate specifically so I could take stripe payments and b) Stripe charge less in fees than paypal which is why I wanted to use that gateway.

      Do you think it will be possible to get a fix to this issue as soon as possible so that I can get stripe back up and running on my site again?

      Thanks,
      Sam

  • Milan

    Hello @sam69,

    Hope you are well today and thanks for asking us. :slight_smile:

    I've made few changes in above code snippets and enabled stripe payment gateway for some time to test better. But due to your server cache I am not able to test those changes in real time. So I've committed those changes as mu-plugin on your end. Please test one more time and let me know how it works for you. If not then please disable server caching and I will test few other things I have in mind.

    Cheers,
    Milan

    • Samuel

      Hi @milansavaliyaz,
      Thanks for your help on this. I ran a test and can see your changes have taken place, however, they don't seem to be taking affect on the new blog links (although the script does work on other links on the page menu, so I know it's doing something!).

      I think though that rigt now it's more important for me to launch than to wait for this to be right, so with that in mind I have disabled stripe again and will wait until this isue is fixed in a new release of Pro Sites - do you think this will be likely?

      Thanks agin for your help on this, I do very much appreciate it.
      Sam

  • Milan

    Hello Samuel

    Hope you are well today :slight_smile:

    I am glad that code hack worked for you.

    After confirming with developer I can say that there is no plan in near future of adding this hack to Pro Sites's functionality. Developer think about this when they plan to include other features request in Pro Sites's existing functionality. For now, this hack is all we got. :slight_smile:

    This is just updation type of reply, but if you still have any query please consider opening new thread instead of replying here. :slight_smile:

    Have a nice day. :slight_smile: Enjoy WPMU DEV.
    Cheers,
    Milan

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.