WP SSL issues are plaguing my MarketPress network.

Goal: solve secure/unsecure content (and plugin issues).

Installed WP SSL plugin -- but require assistance to configure. Network "Domain" is https and "SiteURL" is http -- how did this happen and how can I change it?

Developing has been challenging with plugin issues. (Wish I read this article months ago "https://managewp.com/wordpress-ssl-settings-and-how-to-resolve-mixed-content-warnings".)

Perspective: What are the top things to have in place to ensure a MarketPress eCommerce network is running securely, and providing users with a good experience?

Details: Server has a valid security certificate; MarketPress multisite network; Pro3 MarketPress.com theme. In Admin, plugin buttons that upload images do not function unless unblock-browser. For users, in https, jQuery global product menu does not function and resources e.g. vimeo disappear, etc.

Thank you.

  • MoniQ

    Jack, access granted. Thanks.

    1) I have a valid certificate installed on the server.
    2) I have installed WP SSL Plugin, activated over network, but have not configured. This is allowing me to set pages to https one by one. (Seems to have already solved jQuery menu and vimeo issues.)
    3) I am checking config.php (multisite) to ensure SSL Admin, WP_SITEURL, WP_HOME are setup:

    Forces both SSL Login and SSL Admin. Should I delete SSL Login, as SSL Admin should include both, or does this matter?

    I thought I would find WP_SITEURL definition for https and WP_HOME definition for http, as I am unable to make changes in the WP admin screen.

    Is this config.php what defines "Domain: https://domain.ca"
    define('DOMAIN_CURRENT_SITE', 'artcommons.ca');
    or should I use this instead?
    ('WP_SITEURL', 'https://artcommons.ca');

    Is this config.php what defines "SiteURL: http://domain.ca" (what the public use)
    define('PATH_CURRENT_SITE', '/');
    or should I use this instead?
    ('WP_HOME', 'artcommons.ca');

    4) Because I still getting browser warnings, I am working to offer only https assets:

    Uploading images using WP "Media", or "plugins" or a theme "page builder", appears to force http. For example, I tried to add https manually in the page builder but the image will not display. (Checking with theme developer on that.)

    It would be very helpful if all plugin/theme script-pages, for example when using assets to link or reference codex, schema and wpmu dev, would instead use
    '//site.com/assets/logo.png'
    It is taking me a lot of time to clean things up, and very risky from a beginners perspective.

  • Jack Kitterhing

    Hi there @MoniQ,

    Hope your well today, thanks for that :slight_smile:

    Could you paste your wp-config.php and .htaccess file here please?

    For the domain, this should fix it,

    RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    In your .htaccess file, as long as your running on a apache server which uses port 443, by default that is the secure port on a server running apache.
    Thanks!

    Kind Regards
    Jack.

  • MoniQ

    Thanks Jack. I want to make sure I put things in the right place, in the right order. I notice both SSL_login/admin are used below - do I delete the login line?
    By adding your two lines to .htaccess, is there a chance I will lock myself out?

    .htaccess

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
    RewriteRule . index.php [L]

    wp-config.php ...

    define('WP_DEBUG', false);
    
    define('MULTISITE', true);
    define('SUBDOMAIN_INSTALL', false);
    define('DOMAIN_CURRENT_SITE', 'artcommons.ca');
    define('PATH_CURRENT_SITE', '/');
    define('SITE_ID_CURRENT_SITE', 1);
    define('BLOG_ID_CURRENT_SITE', 1);
    
    define('FORCE_SSL_LOGIN', true);
    define('FORCE_SSL_ADMIN', true);
    define('WP_MEMORY_LIMIT', '256M');
    
    /* That's all, stop editing! Happy blogging. */
    
    /** Absolute path to the WordPress directory. */
    if ( !defined('ABSPATH') )
    	define('ABSPATH', dirname(__FILE__) . '/');
    
    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . 'wp-settings.php');
  • MoniQ

    .htaccess - Updated as you recommended:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
    RewriteRule ^index\.php$ - [L]
    
    # add a trailing slash to /wp-admin
    RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
    RewriteRule . index.php [L]

    Still have browser warnings.

    wp-config - updated as Ashok recommended:

    define('WP_DEBUG', false);
    
    define('MULTISITE', true);
    define('SUBDOMAIN_INSTALL', false);
    define('DOMAIN_CURRENT_SITE', 'artcommons.ca');
    define('PATH_CURRENT_SITE', '/');
    define('SITE_ID_CURRENT_SITE', 1);
    define('BLOG_ID_CURRENT_SITE', 1);
    
    define('FORCE_SSL_ADMIN', true);
    define('WP_HOME','https://artcommons.ca');
    define('WP_SITEURL','https://artcommons.ca');
    define('WP_MEMORY_LIMIT', '256M');

    Still have browser warnings. Saw this:

    Then Update Your Permalinks...
    Clear your browser cache, then close and re-open it.
    Login to your dashboard and then go (Settings > Permalinks).
    Click "Save Changes" [This is to update your new URL protocol you set in the first step]

    Effectively this forces your site to always be secured.

    How do I clear browser cache (can do history and cookies).
    Cannot find settings > permalinks... maybe that is for a single site and not a mulitsite?

    Thanks.

  • MoniQ

    Hello Jack.
    I found this script in the "Visit a shop" globalstoremodal. It lists sites in my network as http. Is there something I can change in here to force https?

    // Visit a Shop
    				$output .= '<table class="table table-striped table-hover">';
    
    					if (!empty($blogs)) {
    					    foreach($blogs as $blog){
            					$blog_details = get_blog_details($blog->blog_id);
            					$output .= '<tr><td>'.$blog_details->blogname.'</td><td><a href="'.$blog_details->siteurl.'" class="btn btn-small pull-right'.$btncolor.'"><i class="icon-arrow-right'.$iconcolor.'"></i> '.__( 'Visit Shop' , 'pro').'</a></td></tr>';
            				}
    					}
    
    				$output .= '</table>';
    
    				$output = apply_filters( 'floating_menu_global_store_after_table' , $output );
    
    			$output .= '</div>';
    
    			$output .= '<div class="modal-footer">';
    				$output .= '<button class="btn'.$btncolor.'" data-dismiss="modal" aria-hidden="true">'.__( 'Close', 'pro' ).'</button>';
    			$output .= '</div>';
    
    		$output .= '</div>';
    
      		if ($echo)
        		echo apply_filters( 'func_pro_global_store_load_modal' , $output , $echo );
      		else
        		return apply_filters( 'func_pro_global_store_load_modal' , $output , $echo );
    	}

    Also a site categories pull down menu is doing the same thing.

    Thanks.

  • Jack Kitterhing

    Hi there @MoniQ,

    Hope you're well today, looks like you have it using https now.

    The issue now lies with possibly your certificate and one of the google fonts your calling it with http and not https, you can check this here http://www.whynopadlock.com

    It says that your common name on your certificate is incorrect as well, could you double check with your certificate issuer? For me when I checked it showed it with your domain name as the common name (correct).

    Thanks!

    Kind Regards
    Jack.

  • MoniQ

    Thank you :slight_smile:

    Jack good catch. That Google font http is in a plugin that installed with the Pro3 theme. When I went through to update assets, I must not have saved properly). Without changing server permissions, I managed to update it.

    I did a test at http://www.whynopadlock.com as recommended (great service). Remaining issue is the security certificate which has a mismatched domain/account name. I asked my server admin to fix this.

    Today - I have a padlocked site :slight_smile: Wonderful!

    Would like to learn a bit more...

    In WP network settings,
    Domain: https://artcommons.ca, SiteURL: http://artcommons.ca.
    Why are they not the same https ? Is this the way settings should be? (Does it matter?)

    - Do some plugins/scripts pull http: from siteurl rather than the domain setting? Or how does this work?

    - When I am asked "Is your site running https in the front end?", does that have to do with: SiteURL or the Domain setting? What settings in wp-config or .htaccess refer to the "front end"?

    I assumed Site Categories and the global floating menu in my theme was pulling http: from siteurl in the blog table (get_blog_details as Paul mentions). Because I did everything I could to turn on SSL throughout the network, I was very confused to see http show up in the "view source code" and sidebar pull down menu (widget). But, if the site is now padlocked - does this matter? Will this cause issues with eCommerce security down the road?

    Look forward to hearing from you.
    Thanks for all your hard work!

  • MoniQ

    @Jack, in addition to learning more with my questions above, is there anything else I can do in my wp-config or .htaccess files? Are these files ok?

    My site is padlocked now. But Paul still gets a Firefox "get me out of here" warning! (He pointed that out in a Site Categories plugin thread). It seems this is relating to the security certificate again. My server admin found a Firefox bug a few weeks ago, so I assumed this was fixed:

    The issue here is actually a bug in how the latest Firefox handles certificate chains -- Chrome and Opera can validate it fine; Firefox isn't seeing the certificate issuer properly and is thus treating it as a self-signed certificate. It *is* a valid certificate, and buying a second valid certificate would not have solved the problem; you would have seen the same thing.

    I've found a workaround that seems to work (explicitly specifying the certificate issuer in the web server config, even though it's already given in the certificate itself) -- can you have WPMU Dev verify that it's OK now?

    Also, the problem is apparently specific to the Windows (and maybe Mac?) version of Firefox, which explains why I didn't see it until I dug out the Windows 7 laptop just now. The Linux version of Firefox doesn't have the bug and only gives the "mixed content" warning, not the "get me out of here" warning.

    When I tested the site at http://www.whynopadlock.com as mentioned above, I requested my server admin fix a mismatched domain name issue with the security certificate that was found. It is a valid certificate though, so I am told. We'll see if this fixes it.

    Look forward to your feedback.
    Happy New Year 2014 :slight_smile:

  • Jack Kitterhing

    Hi there @MoniQ,

    Hope you're well today and thanks for the additional information, glad to hear it's working now :slight_smile:

    Domain: https://artcommons.ca, SiteURL: http://artcommons.ca.
    Why are they not the same https ? Is this the way settings should be? (Does it matter?)

    It's important they are both the same, https, as this also technically answers your later question, if a plugin calls the site URL, to add the files and load the files it would end up loading them as http rather than https.

    - Do some plugins/scripts pull http: from siteurl rather than the domain setting? Or how does this work?

    Yes the php constant __FILE__ is used in plugin development, and they may also use the siteurl() function :slight_smile:

    I assumed Site Categories and the global floating menu in my theme was pulling http: from siteurl in the blog table (get_blog_details as Paul mentions). Because I did everything I could to turn on SSL throughout the network, I was very confused to see http show up in the "view source code" and sidebar pull down menu (widget). But, if the site is now padlocked - does this matter? Will this cause issues with eCommerce security down the road?

    It all looks good on the site :slight_smile: So there shouldn't be any issues.

    The other issue appears to be the site security certificate domain mismatch again with the firefox issue.

    Thanks!

    Kind Regards
    Jack.

  • MoniQ

    Jack, I have learned a lot with you and Paul regarding SSL. Thanks!

    My server admin followed up this weekend! He ran search and replace on the database tables for me to change all http: and I cleaned up an asset after a plugin update. He also fixed the certificate name mismatch. Padlock is holding!

    One issue that remains is whether I will remember to clean up assets after theme and plugin updates in the future. I will have to add this to my regular maintenance routine -- or instead, programmers could replace http: with '//' links in all plugins and themes instead:slight_smile: That would be even better!

    The plugin I updated that caused the site to bark, references Google in the CSS! Argh.

    I will be testing the eCommerce settings and store checkout this week. I hope all the work we have done has not broken MarketPress.

    Thanks for all your help Jack!

  • MoniQ

    @Jack that is good news. Thank you!

    Unfortunately all subsites being created so far have siteurl and home using http, but domain is https. That means they are being listed in Site Categories menu and Floating Global Menu with http, which makes the browser bark. The padlock test says everything is fine, but the site is not.

    I tried creating new subsites using new blog templates and my secure shop-template as the default. each subsite is broken; theme, links, etc. I could assume these broken subsites are what are causing browser warnings, but I know it is the floating menu.

    I am not sure what else to do now. I was told reinstalling using https will solve this. I will try to work with new blog templates today, but my server admin and I are both stumped.

  • MoniQ

    @Jack, as super admin went into "All Sites" to create new site without "template":

    From there, went to new site dashboard:

    https://https/shoptest5/wp-admin/ (server not found)

    Manually typed in URL https/shoptest5/wp-admin/ and same (server not found)

    Any ideas why this is happening?

    Went into new site's settings page:

    Domain: https://artcommons.ca/shoptest5/
    Siteurl: http://artcommons.ca/shoptest5
    Home: http://artcommons.ca/shoptest5

    Ssl Host: (blank)
    Wordpress-https Ssl Host: https:/// (???what is this?)
    Ssl Port: (blank)
    Wordpress-https Ssl Host Subdomain: 1

    Can you help me find what is wrong, or should I post this in a new thread? I currently have a new blog templates thread going as well.

    Thanks Jack.

  • MoniQ

    @Jack, after creating my first successful shop (subsite) - the main site (and subsite) are no longer padlocked!

    New subsites use http not https! Therefore floating global menu and site categories will constantly set off browser warnings by listing sites with http. Is this a bug in multisite? Can this be fixed?

    I had to uninstall WP HTTPS plugin to get New Blog Templates to create subsites that would use the template's theme and normal WP weblinks. Is there another https plugin you can recommend? ( I would like to deactivate https plugin and test, but I am stuck with NBTemplates - will not recognize template after we cleaned out database tables - I think we missed something).

    Http: assets are everywhere! With every update of a plugin or theme, I will have to clean up http: assets until I can find a https plugin that works. For example, recently updated Pro3 theme. Video cannot play with all the http: links to vimeo and youtube, etc. and then there are google font links galore, and etc.

    I am back where I started.

    Is there a way to request theme/plugin developers to please add links using '/_' instead of http:// ? It is everywhere; in php, css and javascript.

    Thank you.