Make a WordPress site work on both HTTP & HTTPS
Since Google started including sites which server under HTTPS in their ranking, and CloudFlare came out with their Universal SSL service, I was thinking to add a native SSL support to my WP blog.
But it seems like WP dose not support working in HTTP&HTTPS at the same time. At first I created a new VirtualHost(Apache)/server(Nginx) config for my blog too work with SSL, but when I tried to access it with https the browser block the loading of the site and complain about mix content.
And so after some googling, I came out with this hack I wrote to have my WordPress blog to be accessible via HTTP & HTTPS.
Add HTTPS & HTTP links to the wp-config.php file
Add the following line to the `wp-config.php` file, it basically hard-coding the site name based on the connection type.
function isSecure() { return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443; } $web_site = 'blog.rabin.io'; $schema = isSecure() ? 'https://' : 'http://'; $web_site_url = $schema . $web_site; define('WP_HOME', $web_site_url); define('WP_SITEURL', $web_site_url);
Force SSL (optional)
If you like you can force SSL for the Admin pages and for login.
define( 'FORCE_SSL_LOGIN', true ); define( 'FORCE_SSL_ADMIN', true );
Problems
While enabling SSL on my blog, I start having problems with WP plugin called W3 Total Cache, so for now i had to disable it until I have the time to check out what exactly is the problem.
Resources
- https://wordpress.org/support/topic/get-wordpress-running-on-both-https-http
- https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/
- https://managewp.com/wordpress-ssl-settings-and-how-to-resolve-mixed-content-warnings
it seems to work fine for me on wp 4.1.1.
I noticed simply changing
to
seems to make your snipped work without hard coding the site name. is there anything wrong with this approach?
thank you.
Thank you, I’m aware of this option, and yes it dose make the code more generic. But the $_SERVER[‘HTTP_HOST’] variable is based on the request from the client, and so can be unexpected, this is why i hard coded the site name.
Any news on the Cache plugin?
Not really, I found out that my site is faster without the plugin must of the time, and using CF as a front end give me the same effect. But check out https://github.com/szepeviktor/w3-total-cache-fixed , they provide a fixed alternative to W3CTotal with many fix’s.
it’s good thanks. and, to fixing the image src I will use plugin, allright? https://wordpress.org/plugins/force-https-littlebizzy/
thanks for feedback.
I am having trouble on my Blog here.
Whenever users want to visit the blog with “http”, it won’t load (Error 403 message) but, when they use “https”, it will load without any problem.
What should I do?
can you share your Apache HTTPD server config ?
I made my move to https in 3 easy steps.
1 – since i have a squid reverse proxy, I got cert for it and configure it to take https requests, translate to http and pass them to the webserver
2 – I add a module to apache to add a header.
Header add Content-Security-Policy “upgrade-insecure-requests;”
by simply adding that header statement, all of my mixed content statements went away.
The third step was to get a cert from letsencrypt.com for all of the sites I wanted to convert to https. That way one cert covers everything.
yes, using a reverse proxy will work as well. I have simile setup for another site, but using nginx as my ssl terminator and varnish as my reverse proxy.
I think we can directly use WordPress is_ssl() function instead of the custom isSecure() function.
Nice to know, but check the notes under the documentations for this function, `is_ssl()` can miss behave when used behind a load balancer.
but thank you for the tip.
I just noticed that WordPress support using HTTP and HTTPS at the same time without this trick. We just have to set the WordPress site URL with HTTP instead of HTTPS.
Then we can add `define(‘FORCE_SSL_ADMIN’, true);` in wp-config.php if we want to force logging in using HTTPS (should be placed before `require_once(ABSPATH . ‘wp-settings.php’);`).
I’m not sure, truth to be told, I haven’t check if WP solved this problem in the past 3 years. the main problem is that WP will use ABSOLUTE paths for the site and its internal url’s and media files. So at that time I had to use this trick, now days, I mostly force/redirect http->https, and not bother with this hack.
I solved the problem with W3 total cache and cloud flare with this extended condition.
well, my all http traffic was redirected to https. actually i would like to use just https but after a while i recognized that some phones browsers having trouble to reach my site. (certificate error.) , so i had to use both http and https , i erased the redirect on virtual host and added this to wordpress config, working well , thank you.
you may want to try and use older crypto (e.g SSLv3/TLS1) to allow older browsers/devices/os to access your site over secure connection.
Hi Robin,
Is there any way to force single page to http instead https. For header enrichment I need to force user Sign in page to http ever user is using https website.
I’m a bit confuse, can you clarify your question/need ?
Hey Rabin,
I was directing my traffic to https using a plugin. However, I decided to enable both http and https versions a few days ago. Therefore, I removed the redirects I had in place. All is working fine except sometimes, I see that pages look broken in pagespeed or on mobile. I was looking for a solution that helps me keep both versions working perfectly. Will this code work? I was ready to copy it when I thought, I must ask you.
Thanks!
I worked with this quick hack for some time, and didn’t have any problems.
but you should reconsider, (as am I) and use only https and redirect all http traffic to https, as you can use free cert now from let’s encrept
It’s actually a different factor that made me reconsider. I have got a valid ssl cert from comodo. take a look at this site – sparknotes.com. It is a reputed one but uses both versions. My reasons are similar.
However, I found out. A plugin was causing the issue. Changing the settings fixed it.
hi Rabin, my website want use http and https and www. Can you help me.
Hi @Hana,
HTTTP/HTTPS is communication protocol the `www` part is a sub domain.
Personally I don’t recommend investing in this, as browsers now days will force you to use HTTPS if available.
Just use HTTPS and you can issue Free Certificates using Let’s Encrypt to automate the process and never think about this ever again.