HTTPS is the thing people are concerned about nowadays. A green padlock and a “HTTPS” are symbols of trust and security. Websites having SSL installed are HTTPS and are safer to trust and to do communications with. Websites having login/register forms, payment gateways and such other functions should be secured with the SSL certificate. For a 100% secured site, acquiring SSL certificate is not enough you will also have to configure it properly in your website or web server.
HTTPS And WordPress
There are three ways of enabling the HTTPS in the WordPress:
1. Enforcing all the pages to be HTTPS
Being the most easy to do, this task is also not so preferred one as it requires the caching of the HTTPS pages. Only when you are determined to make every page HTTPS you should opt for this. Go to WordPress General Settings and thereon in the WordPress Address (i.e. URL) and the Site Address (URL) replace the HTTP with HTTPS.
2. Limiting HTTPS to a number of pages (mostly preferred)
Sometimes there are some of the pages, which do not deal with the sensitive information or any type of send or receive processes. These pages need not be secured with the SSL rather than those which require extra detail from the customers such as the Login Page. You can do this on this server side manually or with the help of the plug-ins. Within the plugins you just have to check the box lying in the front of the page if you want it to be HTTPS.
Plugins like WordPress HTTPS (SSL) and Better WP Security are widely used for this purpose.
3. Making Login page HTTPS or making login as well as admin page HTTPS
Login is the heart page of your website. Not securing the login page will lead to cyber threats like Phishing and stealing of data. That is why many of you think of securing the Login as well as the Administration page, if that’s all which contains the sensitive part.
For forcing HTTPS on the Login and Admin pages set up the following two wp-config.php constants:
define (‘FORCE_SSL_LOGIN’, true); define (‘FORCE_SSL_ADMIN’, true);
If you have already set up the FORCE_SSL_ADMIN constant then you will not need to set up FORCE_SSL_LOGIN separately as it includes the other constant in itself.
How To Identify The HTTP Content On The HTTPS Page?
Here, comes the most awaited part “Determining and fixing up the Mixed Content Warning”. We have already discussed about FireFox that has already started to block mixed content in version 23.
For finding out for the residual of the non-HTTPS content on the site follow these three steps:
- Visit your website by typing the address of the website in the browser with HTTPS in the front.
- Check for the HTTPS plugins and wp-config.php constants are working correctly in the sync.
- Suddenly the browser shows up the “insecure content” or “non-encrypted content warning”.
This proves that there are some contents on the website that are non-HTTPS.
For resolving this issue some of the methods are mentioned below:
1. Look for the unsecured content
Open the page along with the HTTPS and right click on the page (anywhere) and then select the “View Source” or “View Page Source” option.
With the help of the find command (Edit>Find or Ctrl+F or Cmd+F) look for:
src= “http: (with double quote)
src= ‘http: (with single quote)
By doing this you are searching for images, scripts, iframes, graphics and other such contents which are non-https. If you find nothing while searching with src=”http: or src=’http: then your page does not contain any http content. Similarly carry out this searching process in other pages too.
2. Take the help of plug-in
Plug-in also can help with finding of non-http contents from the page. Some of them are listed below: (It is advisable to download plugins from trusted sources.)
WordPress HTTPS (SSL) (yes it appeared above also)
WordPress HTTPS Test
SSL Insecure Content Fixer
Now, whenever you visit the website with HTTPS these plugins will help search for HTTP stuffs.
3. Using a third-party website for searching out the mixed stuffs
Websites like WhyNoPadlock tests the https as well as non http contents in your website for free. Details provided are easy to grasp. Once you catch the error fix it up and test again.
If your customers or visitors are viewing mixed content warnings then your website is containing the HTTPS as well as the HTTP content which is not good for both business reputation as well as security. You must keep a sharp eye on the performance of your website, make sure that every functionality are working fine and if there is something wrong get it fixed up immediately.
4. Let Google inspect your website
Google helps you out with every problem, doesn’t it? Google Chrome’s Inspector consists of a Console tab. If your website contains unencrypted assets, in the Chrome browser the icon before the URL of your website will be yellow or red in color. Learn more about website security indicator.
Now, when we have completed the hunting task (of unsecured contents); it is time to fix it up.
For Plugins And Themes:
If your plug-in is creating issues, you may do the following:
- Deactivate the plugin and contact the plug-in developer.
- With the help of the plugin developer you can modify some of the files to fix it up.
- You can change the theme of the website.
- Also you can modify the files of the theme currently installed.
Basically, you will need to change the content setting such that they suit up any condition i.e. if the protocol is HTTP then they become HTTP and when it is HTTPS then page becomes HTTPS.
There are two ways to fix up the content’s error:
Method 1: By making the use of relative URLs
This is the simplest method. For those contents which are integrated into the plug-in can convert the ‘reference URL’ to ‘relative URL’ when servers like Google scripts, API scripts or iframes want contents.
Method 2: By using the WordPress Coding standards
Some stubborn errors are not likely to be resolved by Relative URLs such as:
- Enforcing HTTP code.
- Some of the functions are not collaborating with SSL settings.
- Some code uses their own head while making HTTPS irrespective of the WordPress settings.
Following functions will help resolve above type of errors:
- Making use of home_url () and related functions and is_ssl ()
- Using WordPress Function Reference (not the ones in red) and WP_DEBUG.