Force Load https WordPress Plugins

Having a mixed security issue that is affecting functionality in browsers because some of my plugins are loading with http instead of https. I’m running under a multisite setup.

Thanks!

Read More

This is what I have in my htaccess

# BEGIN WordPress
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteBase /
RewriteRule ^index.php$ - [L]

# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule  ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule  ^[_0-9a-zA-Z-]+/(.*.php)$ $1 [L]
RewriteRule . index.php [L]
# END WordPress

Related posts

Leave a Reply

1 comment

  1. Most likely, what you mean is that some assets (images, JavaScript, etc.) rendered by your plugins are being served explicitly over http. (Please correct me if I’ve misunderstood).

    These problems need to be fixed in each of the individual plugins, and the fixes will vary based on how the assets are referred to. There are lots of ways to refer to assets, and lots of ways to specify a protocol. (In general, if you use something like site_url() to generate links to assets, they’ll automatically be assigned the correct protocol. But there are lots of WordPress functions that do this kind of thing.) You’ll have to pop open the offending plugins and look.

    The bad news is, no amount of rewriting with htaccess will fix this issue for you. Your browser makes this “mixed content” determination before actually requesting all the files. And though the requests may eventually be rewritten to https, your browser won’t notice. The browser only cares about how assets are referred to in the page markup, and rewrite rules don’t change markup at all–only the way in which the server reacts to specific requests.

    You feel me?