Home Forums Weaver and Plugin Interaction SSL Insecure Content Fixer

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #20018
    laura
    Participant

    My question relates to after an SSL certificate (in my case it was purchased through my web host) is applied to a WordPress installation and you are faced with fixing the insecure content.
     
    I found a fabulous plugin called, SSL Insecure Content Fixer where it describes itself:

    “Clean up your WordPress website’s HTTPS insecure content and mixed content warnings. Installing the SSL Insecure Content Fixer plugin will solve most insecure content warnings with little or no effort.”  
    Can a plugin like this be used as a permanent fix for people who are not very technical when it comes to changing the WordPress database? Is the purpose of a plugin like this is so that you don’t have to do a search/replace on your database?

    I think I may have misunderstood the purpose of this plugin. I thought it finds the insecure content AND changes it at the same time on the database.

    I’m wondering if a plugin like this can be used as a permanent fix even though it is not actually changing anything. I understand that I would never be able to deactivate it if I do. One of my wordpress sites would require a some kind of manual intervention because the database is about 8 gigs.

    I have also been advised to not depend on a plugin. What happens if this plugin is no longer supported in the future? Is this plugin remain actively supported? Will future versions of WordPress that require SSL still see my website as secure as the way this plugin presents it to be?  

    I noticed in the flexible SSL version of Cloudflare, there is an option on their dashboard to switch on that says “Always use HTTPS” which I assume has the same effect which is “permanent” as long as you are using Cloudflare. I’m wondering if this is the same kind of effect where the pages are served on the fly appearing as secure to the browser.    

    #33086
    Weaver
    Keymaster

    Try the plugin. Then look at the HTML source of the pages in question.

    See if all URLs have been changed from http:// or https:// to simply //. It so, the plugin is post-processing the HTML output to change to the neutral // form. This is what the CloudFlare plugin does.

    I’m not sure what the plugin might do with .css files with url() styling.

    #33087
    laura
    Participant

    Bruce,

    I contacted the plugin author and this is their response below, but I will examine the html like you suggested. The only problem I’ve had was to change some of the hardcoded img tags in the posts, but I’m ok doing this because I can do it right in my text editor when using wordpress at my convenience.

    “This plugin can be used as a permanent fix if you leave it activated.

    Its
    original purpose was to correct badly registered scripts and
    stylesheets, which requires the plugin to be activated. I’ve since added
    new fixer modes that also fix things in content, widgets, and
    hard-coded into templates. All of this happens on-the-fly which means
    that on the one hand, the plugin must be activated to keep working, and
    on the other hand, it doesn’t make any changes to the website so it
    cannot damage the site. That last point means that if you have a problem
    with this plugin, you can simply remove it from the site.

    The
    advice to not depend on a plugin is generally good advice. If you are
    able to clean up all of the things that are causing your insecure
    content errors, then that is best for your website.

    This plugin
    isn’t going to disappear or stop working any day soon, however. I use it
    myself for websites I develop and maintain. I wrote it initially
    because there were plugins doing things badly, and I still find problems
    in plugins and themes today. I keep it maintained, testing it with
    every beta release of WordPress and major plugins before they get
    general release, so that I can make any necessary changes before changes
    in WordPress can impact sites using this plugin.

    The future of
    https on WordPress is likely to bring some fixes in the WordPress core
    that make this plugin unnecessary. Also, building websites on all-https
    from day one (no http pages) generally avoids insecure content problems.
    In my experience with insecure content, however, there will always be
    something that breaks the site, and this plugin will be there to clean
    that up!”

    cheers,
    Ross

    #33088
    laura
    Participant

    Bruce,

    The author seems to indicate that I can leave this plugin in as a permanent fix. I did a “view souce” on one of my sites and it is outputing the Weaver style sheets as follows (I changed the site name):

    <link rel='stylesheet' id='wvrx-ts-style-sheet-css'  href='https://mywebsite.com/wp-content/plugins/weaverx-theme-support/weaverx-ts-style.min.css?ver=3.0' type='text/css' media='all' />
    <link rel='stylesheet' id='atw-posts-style-sheet-css' href='https://mywebsite.com/wp-content/plugins/show-posts/atw-posts-style.min.css?ver=1.3.9' type='text/css' media='all' />
    <link rel='stylesheet' id='weaverx-font-sheet-css' href='https://mywebsite.com/wp-content/themes/weaver-xtreme/assets/css/fonts.min.css?ver=3.0.4' type='text/css' media='all' />
    <link rel='stylesheet' id='weaverx-style-sheet-css' href='https://mywebsite.com/wp-content/themes/weaver-xtreme/assets/css/style-weaverx.min.css?ver=3.0.4' type='text/css' media='all' />
    <link rel='stylesheet' id='weaverxp-style-sheet-css' href='https://mywebsite.com/wp-content/uploads/weaverx-subthemes/style-weaverxt.css?ver=60' type='text/css' media='all' />
    <link rel='stylesheet' id='smc-widget-style-css' href='https://mywebsite.com/wp-content/plugins/social-media-icons/styles/smc_front.css?ver=1.2.5' type='text/css' media='all' />
    <script type='text/javascript' src='https://mywebsite.com/wp-includes/js/jquery/jquery.js?ver=1.12.4'></script>
    <script type='text/javascript' src='https://mywebsite.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1'></script>
    <script type='text/javascript'>

    So is it safe to assume that by leaving the plugin active, my website will survive future major upgrades of WordPress that will require SSL???

    #33089
    Weaver
    Keymaster

    The https:// on all those stylesheets and scripts is likely coming from WP directly assuming you’ve set the site url in the Settings menu to have https://. Normally, a theme or plugin that adds stylesheets and scripts does that via a call to the WP core API, and that is where the https:// is added. That would not rely on the plugin. The problem usually comes from old links to the media library or other content that would have originally had http:// when inserted into the content. Those are the sorts of links that need fixing.

Viewing 5 posts - 1 through 5 (of 5 total)
  • The forum ‘ Weaver and Plugin Interaction’ is closed to new topics and replies.