Home Forums Weaver Xtreme Theme Weaver Xtreme 3.1.12: Site converted to https://…Insecure items

This topic contains 10 replies, has 3 voices, and was last updated by  seh789 8 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #53491

    seh789
    Participant

    Perhaps I should start by thanking you for the super theme and its many detailed functions – I am very impressed! I must also admit I am not a qualified developer – I was a tech writer / author and have produced the charitable web site to assist the Twinning of two villages (in France & the UK).

    I installed and used SSL Insecure Content Fixer WordPress plugin to fix a lot of content on:
    https://sorigny-comitejumelage.com (following ht.access changes).

    It appeared to fix a lot but when I use https://www.missingpadlock.com/ various insecure issues are shown, notably:

    Pages with Potential Active Mixed Content
    Pages with Potential Passive Mixed Content

    For example:
    http://sorigny-comitejumelage.com/page-d-exemple/activites-de-jumelage/ 28 assets
    http://sorigny-comitejumelage.com/wp-includes/js/jquery/jquery.js?ver=1.12.4 script src
    http://sorigny-comitejumelage.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1

    I have checked and changed all pages to be https:// pages so I do not understand even the existence of the http:// pages in the example above. When I visit the site with the https:// address I do not see these potential mixed content pages – only the https one.

    The scripts for the menus are well beyond my understanding but appear to be from Weaver Extreme menu sliders.

    I would appreciate it if you can tell me if I am misunderstanding something, have made a silly error somewhere or if it does concern the Weaver theme – let me know what to do.

    Many thanks in advance,
    Stephen

     

    #53492

    Weaver
    Keymaster

    This is not really theme related, but WP ssl setup.

    I suspect, however, that you have not reset the WP Settings -> General WordPress Address (URL) and the Site Address (URL) settings.

    In general, however, you would need a plugin like SSL Insecure Content Fixer WordPress (I don’t know what it does) only once to change any links to your own site to https:. Fixing the WP/Site URL to include https:// usually fixes that, although links to media generated pre-ssl conversion may retain the http: and should be fixed.

    While you may not be using CloudFlare to provide SSL, there is still possibly useful information in: https://guide.weavertheme.com/free-and-easy-ssl-for-your-wp-site/

    #53506

    seh789
    Participant

    Many thanks,

    I have checked the details you mentioned and confirm that the General URL and Page settings are as required. I have also taken screenshots of the SSL plugin which you might find interesting – I only used the Simple and Content options since the Capture and Capture All options appeared likely to cause breakages of the kind you warn about re AutoOptimizer.

    If you would like to see the screenshots, please send me an address to which I can send them, they are:
    SSL Insecure Content Fixer Details.jpg & SSL Insecure Content Fixer Settings.jpg & WP_Gen_Settings.jpg

    I will study the CloudFlare info -thanks. I will also see if there is a Forum for the https://www.missingpadlock.com web site.

    Thanks again,
    Stephen

     

     

    #53507

    Weaver
    Keymaster

    I’m surprised that it was not the site and General URL settings.

    Here are some specific symptoms that will help you get a diagnosis:

    1. The issue arises only if you do NOT explicitly enter https://yoursite. Either no leading http or using http:// results in the issues.
    2. One easy thing to check is the various <link> elements in the <head> section of your page HTML source view. Now most of these scripts and CSS files are loaded using a WordPress function called enqueue_scripts or enqueue_styles.

    I looked at the WordPress source code for these, and while I didn’t get all the way to the bottom, I did get the impression the value for the http was derived from the General URL name. I must be wrong. But, if someone knows exactly where that http or https is derived from for the enqueue_scripts function, that would be huge clue as to what is going on. You might even be able to contact the plugin support to get than answer – they should know, or at least know that their plugin is failing to handle that situation.

    #53524

    seh789
    Participant

    Thanks again.

    I have spent some time cleaning up / changing all the refer3ences I could from http to https and then ran Crawl My Site again. The results now (converted to plain text) are:

    Summary
    Active Mixed Content (0)
    Passive Mixed Content (0)
    Potential Active Mixed Content (2)
    Potential Passive Mixed Content (2)
    Crawl Errors (0)
    HTTP (0)
    No Issues (77)
    Pages with Potential Active Mixed Content
    These pages are not currently served with HTTPS. But they have high-risk assets, such as scripts, being served explicitly via HTTP. If you implement HTTPS for these pages, most browsers will completely block these assets, which will likely break some sort of functionality on the page.

    http://sorigny-comitejumelage.com/page-d-exemple/albums/ 30 assets
    http://sorigny-comitejumelage.com/wp-includes/js/jquery/jquery.js?ver=1.12.4 script src
    http://sorigny-comitejumelage.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 script src
    http://sorigny-comitejumelage.com/wp-content/themes/weaver-xtreme/assets/js/weaverxjslib.min.js?ver=3.1.12 script src
    http://sorigny-comitejumelage.com/wp-content/plugins/photo-gallery/js/bwg_frontend.js?ver=1.3.68 script src

    Pages with Potential Passive Mixed Content
    These pages are not currently served with HTTPS. But they have low-risk assets, such as images or video files, served explicitly over HTTP. If you implement HTTPS for these pages, they will still work, but the browser will identify these pages as not being secure.

    http://sorigny-comitejumelage.com/page-d-exemple/albums/ 30 assets
    http://sorigny-comitejumelage.com/wp-content/uploads/2015/08/Web-site-Banner-v51.jpg img src
    http://sorigny-comitejumelage.com/wp-content/uploads/2015/08/Box-tunnel-Box_100.jpg img src
    http://sorigny-comitejumelage.com/wp-content/uploads/2015/08/Sorigny-Aerial1_100.jpg img src
    http://sorigny-comitejumelage.com/wp-content/uploads/2015/08/L’Eglise-Saint-Pierre-aux-Liens_50.jpg img src
    http://sorigny-comitejumelage.com/welcome/downloadstelechargements/ 26 assets
    http://sorigny-comitejumelage.com/wp-content/uploads/2015/08/Web-site-Banner-v51.jpg img src

    As you can see there are 2 pages for both Potential Active Mixed Content and 2 pages for Potential Passive Mixed Content.

    For the web site page http://sorigny-comitejumelage.com/page-d-exemple/albums/, I viewed the Source (click right in Chrome) and there are many references to http://, for example:

    1. <link rel=”profile” href=”//gmpg.org/xfn/11″ />
    <link rel=”pingback” href=”http://sorigny-comitejumelage.com/xmlrpc.php” />

    2. Within the section <!– Weaver Xtreme Standard Google Fonts for page-type: page –>

    3. Within the </style> section
    </style>
    <link rel=’stylesheet’ id=’gallery-bank-popup.css-css’ href=’http://sorigny-comitejumelage.com/wp-content/plugins/gallery-bank/assets/admin/layout/css/gallery-bank-popup.css?ver=4.9.4′ type=’text/css’ media=’all’ />

    4. In the < script src=” sections.

    I use the PhotoGallery (free with WordPress) and Gallery Bank which allows 3 free galleries (I think) as well as Weaver Extreme of course. I did a search on the Gallery Bank forum and did find references to enqueue_scripts or enqueue_styles as you suggested & tagged for ‘Developers’. Almost needless to say, I assumed these would be beyond my level of competence, so I stopped there.

    Having said all that all the pages bar Media and Download I have checked show the padlock, so unless you think that CloudFlare would sort the issue and not cause any conflict with what I have already done, I am prepared to leave things as they are. I suspect I might find the CloudFlare setup a bit tricky too, but will take a closer look if you so advise.

    Thanks again for your attention – it is much appreciated.

    Stephen

    #53527

    Weaver
    Keymaster

    As I said before, I don’t know why those particular files use http:. Their address is generated dynamically at run time, and thus will not be fixed by any scanning. I had thought they were derived from the site’s URL settings, but you say that is fixed.

    Sorry I can’t be more specific. Try asking on the WordPress.org forums – both on your https plugin, and maybe the general forum.

    #53545

    seh789
    Participant

    Yes- thanks – understood. I just thought it might assist others to see this type of issue. I will be trying the WordPress plugin forms.

    Finally then, do you think CloudFlare would solve the issue without conflicts with what has been done so far?

    (I do appreciate you are busy, so thanks again for your responses.

    Stephen

     

    #53550

    Weaver
    Keymaster

    I think it is not too hard to setup a Cloudflare account. Read our Cloudflare article to see if it sound easy enough for you.

    https://guide.weavertheme.com/free-and-easy-ssl-for-your-wp-site/

    #54172

    seh789
    Participant

    Somewhat belated thanks again – been busy with too many other issues. Following more checking and correction, the site is now conforming to https and the now obligatory Cookie warning is on.

    For what it is worth, my enquiry to WordPress had no response, so I appreciate the effort you put in Mr Weaver !

    #54173

    Maureen
    Participant

    If I correctly understand what is happening on your site, you have pages appearing not secure due to mixed media. This means that you have content — mostly images — that came over a non-secure connection.

    If that is the case, check out this plugin: https://wordpress.org/plugins/http-https-remover/

    There are probably other plugins that could also help.

     

    #54219

    seh789
    Participant

    Hi Maureen & thanks,

    Yes it was due to both  the http and https versions of the site were still registered with Google Analytics and also some faulty links within the site to the old http pages. By deleting the http version from Google and checking my errors with https://www.missingpadlock.com I arrived at a clean https site.

    So I did not have to use the plug-in you kindly referred me to.

    Thanks again,
    Stephen

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.