Find WordPress HTTP Links
Have you converted your WordPress sites to display a Secure notice for visitors?
I converted my sites to https
after Google announced an upcoming change to the Chrome browser:
Eventually, Chrome will show a Not Secure warning for all pages served over HTTP, regardless of whether or not the page contains sensitive input fields. Even if you adopt one of the more targeted resolutions above, you should plan to migrate your site to use HTTPS for all pages.
WordPress Requirements
WordPress has two https requirements:
- An SSL certificate for your Web server.
- Get a free certificate from Let’s Encrypt for generic servers.
- Got cPanel? cPanel partnered with Comodo, a certificate vendor, to offer free SSL certificates.
- Edit wp-config.php.
- Add
define( 'FORCE_SSL_ADMIN', true );
- Secure your Dashboard.
- Login and edit “WordPress Address” and “Site Address” on General Settings
- Can’t edit options? Options in wp-config.php override General Settings.
- Edit
WP_SITEURL
andWP_HOME
in wp-config.php.
- Add
Mixed Content
After updating your site’s address, you must update your old http
links.
Browsers display a mixed content warning if a Web page uses ‘http’ resources on an ‘https’ page.
All content must have https
links. The problem is often images. See How to Deploy HTTPS Correctly by Electronic Frontier Foundation, for additional information.
The Chrome browser complains about images with http
links:
Attackers might be able to see the images you’re looking at on this site and trick you by modifying them.
How can you find and fix these errors on a WordPress site?
If you have access to your server’s command line, skip ahead to WP-CLI instructions. Otherwise, use my new plugin.
Find WordPress HTTP Links Plugin
I wrote a WordPress plugin to find http links in posts, page, postmeta, options, widgets.
My plugin checks text widgets, RSS widgets and the media widgets added to WordPress 4.8.
Download the plugin from the Github Release. Install it on an SSL site.
Users must be able to edit_published_posts to use the plugin.
Select “Find Http Links” on the tools menu to search your site.
Reports
Displays reports for published pages and posts, custom post fields, options and widgets.
Documents are displayed with an edit link, and marked if the mixed content is in a custom post field.
Edit links open in a new tab, to preserve the report.
Plugin does not check user data. For example, there might be an old ‘http’ link to the site in a user bio. I might add that in a future version.
Missing Data?
Many WordPress plugins add info to the database, but fail to remove it when they are uninstalled.
The original release of my Quick Mail plugin left info in database. It seemed like a good idea at the time, in case the plugin was reinstalled. Recent versions of Quick Mail remove settings when the plugin is uninstalled.
If you see data like _schema_article
shown, but cannot find it, it could belong to a plugin that was uninstalled.
You might also have a plugin to manage widgets, that stores data differently than WordPress.
You must edit your database to remove obsolete info.
Fake Mode
Fake Mode lets you work on a test site, as though it was the “real site.”
Example: Babies Monthly was updated from http to https. I can install the site at home, by modifying wp-config.php:
if (empty($_SERVER['SERVER_ADDR']) || $_SERVER['SERVER_ADDR'] == '127.0.0.1') {
define('WP_SITEURL', "http://dev.babiesmonthly.com");
define('WP_HOME', "http://dev.babiesmonthly.com");
}
However, the database value for wp_options.home
is
https://babiesmonthly.com
Plugin detects the difference when it loads, and runs in “Fake Mode.” It pretends
that it is running on http://babiesmonthly.com
and converts
http links to https://babiesmonthly.com
.
You can use the plugin to find errors, or replace the production database after replacing links.
Very helpful!
More Features For Developers
Programmers can add a filter for two settings.
Purpose | Default |
---|---|
Minimum Permission | edit_published_posts |
Links per page | 20 |
Test Additional Content
- Check themes for hardcoded http scripts and stylesheets.
- For example, Google fonts are not displayed on an https site, if you load them with an http link.
- Check plugins, widgets and shortcodes for http image links.
Do Not Forget to Test External Links
Use w3C Link Checker to verify your new links. If you see:
http://example.com/test redirected to https://example.com/test
Find the link on your site, or image from another site, and fix it. Many http links have been updated to https.
Google / Bing / Social
Update your sitemap after fixing links. If you use Google or Bing Webmaster Tools, you can create a new profile for your https
site.
Update your Twitter, Facebook, Instagram, Google+ profiles.
Verify Results
Use Jitbit’s SSL Checker to test your site.
Jitbit’s free service checks up to 200 documents.
This site has over 200 posts, besides links for tags, categories, pages, etc.
Jitbit’s page limit inspired me to write this WordPress plugin, to check the entire site.
WP-CLI
WP-CLI lets you manipulate WordPress from a command line. It “just works” on *nix / MacOs. I found directions to install WP-CLI on Microsoft Windows, but I have not tested them.
It is easy to fix mixed content errors with WP-CLI’s search / replace command. Try:
wp search-replace 'http://example.com' 'https://example.com' --all-tables --skip-columns=guid --skip-columns=pinged --precise --dry-run
- Remove
--all-tables
to limit replace. See Documentation. - Remove
--dry-run
to replace links.
The search replace command will update your content links, or every link, depending on settings.
Follow my instructions to check additional content, etc.
Get Find WordPress HTTP Links
Clone or fork Find WP Http links on Github or download the latest release as a .zip.
I am not sure if I will add the plugin to the WordPress Plugin Repository.
Comments
Interesting idea. Nice display and reports.
Thank you.