New blog post: Using SSL in WordPress admin ... http://pixopoint.com/2011/10/08/using-ssl-in-wordpress-admin/
2 plus ones
Shared publicly•View activity
View 9 previous comments
- I don't think I've ever visited the WordPress admin panel in IE. I thought your issue was with https being added to the image URLs instead of just http. I guess I misunderstood.
Would you get the same problem if you paid for a certificate? I don't really care if it spits out errors to IE users right now, although I would if I end up putting paying customers onto it (which would require me paying for an SSL certificate).Oct 14, 2011
- If you're using a commercial ssl certificate, I don't believe having the odd https served image in a post will be a problem. As long as the certificate correctly matches your domain.
I'm not an expert in all things SSL - just the bits I've had the opportunity to bang my head against.
For our company's internal use, we're fine with a self-signed certificate. But, as I said, the rest of the staff use IE pretty exclusively. And if you use IE, you'll see that various assets are served http even when your site is set to force ssl in the admin, because you'll get an annoying popup warning on every page telling you so, and offering you the option (by default) to block insecure items.
Some of those items are served http because plugin authors are not following current recommendations for building URIs passed to wp_enqueue_script() or wp_enqueue_style(). Too many are still using constants now reserved to core, rather than the functions that return URIs correctly set as http or https. ( See: http://codex.wordpress.org/Determining_Plugin_and_Content_Directories ) - these are the ones that will break your admin when the user opts to block insecure content, and jQuery libraries are blocked.
In addition, there's a bug, where attachments are always served http - see: http://core.trac.wordpress.org/ticket/15928 - so anything on the post editor, like post thumbnails, or the media library, or certain plugins - that depend on wp_get_attachment_url - will generate 'mixed content' errors when viewed securely in IE.
My fix was (perhaps overkill) to ensure that anything that depended on those functions would behave correctly. That and fixing several plugins so they enqueued scripts and css properly took care of all the mixed content warnings. I thought I was done. Until I found the 'insert into post' issue.
Again - sorry for the false alarm. I hadn't realized I wouldn't have had the issue without having first worked around the wp_get_attachment_url bug.Oct 14, 2011
- Thanks for pointing all this out. It doesn't matter to me right now, but it will in future so it is good to know I need to deal with this sort of thing at some point.
To be honest I don't know what httpd is. I'd seen it elsewhere recently, but assumed it was a typo and was meant to say https ... off to Google it now.Oct 14, 2011
- I don't see that I typed httpd anywhere in this exchange.
BTW: httpd is your web server - the actual name of the apache binary program on some linux installations. Stands for http daemon.Oct 14, 2011
- Oh this is really weird, lol. I went to check what you wrote as it just didn't make sense. And httpd was nowhere to be seen, so I edited my post and scratched my head.
Then I scrolled up and hit "expand comment" and your httpd stuff returned, so I edited my comment, and then your httpd stuff disappeard. I think Google is having a little fit and punching content in out of nowhere. It's like it's somehow shunting content from one notification (I'm on the notifications box right now) into another notification. Very odd ....Oct 14, 2011
- And yeah, I thought httpd was a web server, but in the context of your post, it sounded like you were referring to it being a URL. It seems that another notification (about httpd) is being sporadically injected into your comments here.
Sheesh! That gets REALLY confusing when the stuff getting mixed up is sort of similar, but not quite, so they don't look out of place!
Anyhows, thanks for pointing out the limitations of self-signing certificates so I know to be wary of it.Oct 14, 2011