How to install WordPress on NearlyFreeSpeech – Part 3 – HTTPS/SSL

The first post helped you get your NFS database set up. The second post got WordPress installed. And this third post will show you how to serve your WordPress site via HTTPS/SSL.

Using TLS / HTTPS can be tricky to get configured. First, make sure you don’t have an .htaccess file in your root redirecting traffic to HTTPS while you are installing WordPress. If you do have it you’ll get funny errors when trying to access the admin login page. Just rename it for the time being until you get this bit working, then change it back to .htaccess.

To configure WordPress to run under HTTPS make sure that you’ve set up and enabled SSL for your site, and that it’s working – but as noted don’t force redirection for the minute.

Add this to the end of wp-config.php:

/** Use HTTPS for WordPress */
if ( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ] == 'https' ) $_SERVER[ 'HTTPS' ] = 'on';

In your WordPress dashboard, under Settings > General, update your “WordPress Address (URL)” and “Site Address (URL)” from “HTTP” to “HTTPS”.

Redirect Loop
Note that when you make the change to the site names under Settings > General, it can occasionally result in a redirect loop error. You’ll no longer being able to access the wp-admin pages. To fix this (from here: https://codex.wordpress.org/Changing_The_Site_URL) you can edit the settings via phpMyAdmin. Go to your database table ‘wp-options’ and change the ‘siteurl’ and ‘home’ values.

Or you can manually change the sites back to what they were before by putting these two lines in the wp-config.php file then you can get back into the settings page and turn back to HTTP before removing these from wp-config.php and troubleshooting the problem:

define('WP_HOME','http://www.mc-guinness.co.uk/blog');
define('WP_SITEURL','http://www.mc-guinness.co.uk/blog');

Insecure Assets
There is another common issue whereby, just after you turn on HTTPS you get an error from your browser when you visit the site on HTTPS which warns you about some of the site’s asseets loading from an insecure location.

This happens because the domain is on HTTPS and there is a cert for the domain, but Chrome was blocking all of the scripts and css files in the source code that were being called from HTTP. To fix this we need a WordPress plugin which will go into my source and convert all the HTTP urls into HTTPS urls if the user was hitting the site via HTTPS://

Use the “SSL Insecure Content Fixer” plugin to fix this: http://wordpress.org/extend/plugins/ssl-insecure-content-fixer/ .

And we also need to add in our own custom plugin to let the server know when a user is accessing via HTTPS. To do this access your root/wp-content/plugins directory via SSH then create a file called force-ssl-url-scheme.php and add this content:

<?php
/*
Plugin Name: Force SSL URL Scheme
Plugin URI: https://gist.github.com/webaware/4688802
Description: Force the protocol scheme to be HTTPS when is_ssl() doesn't work
Version: 1.0.0
Author: WebAware
Author URI: http://www.webaware.com.au/

@ref: http://wordpress.org/support/topic/ssl-insecure-needs-35-compatibility
*/

/*
copyright (c) 2013 WebAware Pty Ltd (email : rmckay@webaware.com.au)

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2, as
published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/

// if site is set to run on SSL, then force-enable SSL detection!
if (stripos(get_option('siteurl'), ' https://') === 0) {
$_SERVER['HTTPS'] = 'on';

// add JavaScript detection of page protocol, and pray!
add_action('wp_print_scripts', 'force_ssl_url_scheme_script');
}

function force_ssl_url_scheme_script() {
?>
<script>
if (document.location.protocol != "https:") {
document.location = document.URL.replace(/^http:/i, "https:");
}
</script>
<?php
}

Run the following commands again to make sure the permissions of this new plugin are correct:

chgrp -R web *
find . -type d -exec chmod 775 {} \; 
find . -type f -exec chmod 664 {} \;

Now go into your WordPress admin screen and enable this new plugin.

TTPS/TLS access is tricky to get completely correct. For instance, for some reason I had a lot of trouble even after following these steps with trying to get my WordPress wp-admin pages loading in HTTPS but others have had absolutely no issues with this. Google will ultimately be your best friend in diagnosing those ‘unique’ issues that always seem to crop up.

Leave a Reply

(email optional)